
Aerospace Safety 
Advisory Panel 

Annual Report 

March 1995 


Aerospace Safety Advisory Panel 
Code Q-1 

NASA Headquarters 
Washington, DC 20546 


Tel: (202)358-0914 



Reply to Attn of: 


National Aeronautic and 
Space Administration 

Headquarters 

Washington, DC 20546-001 


Q-l March 1995 


Honorable Daniel S. Goldin 
Administrator 
NASA Headquarters 
Washington, D.C. 20546 


Dear Mr. Goldin: 

The Aerospace Safety Advisory Panel (ASAP) is pleased to submit its annual report 
covering the period from February 1994 through January 1995. Overall, the Panel 
uncovered no “show stoppers” related to safety which is indicative of NASA’s continuing 
commitment to risk management and reduction. 

NASA’s programs made significant advances during the past year. We are particularly 
pleased that all of the components of the Block II Space Shuttle Main Engine modifica- 
tions are now underway and making good progress. Nevertheless, the safety impact of 
severe budget cutbacks and the departures of key personnel, particularly on labor-inten- 
sive operations such as Space Shuttle processing, continue to warrant the Panel's attention. 

We remain concerned about the effective implementation of the joint U.S./Russian safety 
requirements. It has been difficult for us to obtain the timely and in-depth information 
needed to become comfortable in our oversight role of these programs. We will continue 
to follow the NASA collaboration with the Russians in the year to come with the specific 
goal of obtaining a better understanding of the joint safety processes. 

The Aerospace Safety Advisory Panel appreciates the support received from NASA and 
its contractors. We are also grateful for NASA’s timely response to last year's report. 
This permitted us to pursue open items in an expeditious manner. As in the past, we ask 
that you respond only to Section II, “Findings and Recommendations,” of the current 
submission. 



Very truly yours, 



Norman R. Parmet 
Chairman 

Aerospace Safety Advisory Panel 



TABLE OF CONTENTS 


Page 

I. INTRODUCTION 3 

II. FINDINGS AND RECOMMENDATIONS 7 

A. SPACE STATION PROGRAM 7 

B. SHUTTLE/MIR (PHASE ONE) PROGRAM 8 

C. SPACE SHUTTLE PROGRAM 9 

Orbiter 9 

Space Shuttle Main Engine (SSME) 10 

External Tank 11 

Solid Rocket Booster (SRB) 11 

Logistics and Support II 

D. AERONAUTICS 12 

E. OTHER 14 

III. INFORMATION IN SUPPORT OF FINDINGS 19 

A. SPACE STATION PROGRAM 19 

B. SHUTTLE/MIR (PHASE ONE) PROGRAM 22 

C. SPACE SHUTTLE PROGRAM 23 

Orbiter 23 

Space Shuttle Main Engine (SSME) 26 

External Tank 30 

Solid Rocket Booster (SRB) 30 

Logistics and Support 30 

D. AERONAUTICS 32 

E. OTHER 34 

IV. APPENDICES 

A. NASA AEROSPACE SAFETY ADVISORY PANEL MEMBERSHIP A- 1 

B. NASA RESPONSE TO MARCH 1994 ANNUAL REPORT B-l 

C. AEROSPACE SAFETY ADVISORY PANEL ACTIVITIES C- 1 




I. INTRODUCTION 






I. INTRODUCTION 


NASA continued its safe and productive space 
and aeronautics programs over the past year in 
spite of budget cutbacks and political uncer- 
tainties. Seven successful Space Shuttle mis- 
sions added significant knowledge in science 
and technology and on the ability of humans to 
adapt to space. These flights included the 
repair of the Hubble Space Telescope and also 
laid the groundwork for rendezvous and dock- 
ing with the Russian Mir Space Station. The 
Langley Research Center completed its work 
on the joint NASA/Federal Aviation 
Administration wind shear detection program. 
The results were rapidly transferred to safety 
improvements throughout the world. The 
International Space Station (ISS) began to take 
shape during the year as designs matured and 
the cooperative agreements with the Russian 
Space Agency and its contractors were clari- 
fied. In all, it was a year of significant incre- 
mental accomplishments, progress on long- 
term programs and, most importantly, safe air- 
craft and spacecraft operations. 

The Aerospace Safety Advisory Panel 
(ASAP) monitored NASA’s activities 
and provided feedback to the NASA 
Administrator, other NASA officials and the 
Congress throughout the year. Particular 
attention was paid to the Space Shuttle, its 
launch processing and planned and potential 
safety improvements. The Panel monitored 
Space Shuttle processing at the Kennedy 
Space Center (KSC) and will continue to fol- 
low it as personnel reductions are implement- 
ed. There is particular concern that upgrades 
in hardware, software and operations with the 
potential for significant risk reduction not be 
overlooked due to the extraordinary budget 
pressures facing the agency. The authoriza- 
tion of all of the Space Shuttle Main Engine 
(SSME) Block II components portends future 
Space Shuttle operations at lower risk levels 
and with greater margins for handling 
unplanned ascent events. On the other hand, 
delaying the incorporation of Global 


Positioning System (GPS) capability in the 
Orbiter represents a significant lost opportu- 
nity for safety enhancements. 

Throughout the year, the Panel attempted to 
monitor the safety activities related to the 
Russian involvement in both space and aero- 
nautics programs. This proved difficult as the 
working relationships between NASA and the 
Russians were still being defined as the year 
unfolded. NASA’s concern for the unique 
safety problems inherent in a multi-national 
endeavor appears appropriate. Actions are 
underway or contemplated which should be 
capable of identifying and rectifying problem 
areas. The Panel will monitor the joint 
NASA/Russian effort closely in the upcoming 
year. Particular emphasis will be placed on the 
potential for an increase in launch schedule 
pressure as the Shuttle/Mir missions begin. 
NASA must renew efforts to resist pressures to 
assign a launch schedule priority so high that 
safety may be compromised. 

In the coming year, the ASAP will extend and 
adapt its oversight activities as needed to cover 
the new and revised safety challenges inherent 
in the continued U.S. leadership in aeronautics 
and the expanded habitation of space by 
humans. 

During the year, Mr. Charles J. Donlan retired 
as a Panel member and became a consultant to 
the ASAP. Ms. Yvonne C. Brill was appointed 
as a member of the Panel. Mr. Paul M. 
Johnstone, a member of the Panel, was made 
deputy chairman and chairman designate. 

The balance of this report presents “Findings 
and Recommendations” (Section II), 
“Information in Support of Findings and 
Recommendations” (Section III) and 
Appendices describing Panel membership, the 
NASA response to the March 1994 ASAP 
report and a chronology of the Panel’s activi- 
ties during the reporting period (Section IV). 


3 




II. FINDINGS AND RECOMMENDATIONS 



F ? L ’ jcn 





II. FINDINGS AND RECOMMENDATIONS 

A. SPACE STATION PROGRAM 


Finding #1 

The original organization of the International 
Space Station (ISS) Program included an inde- 
pendent safety assessment function reporting 
directly to the Program Manager.Subsequently, 
this was changed so that independent assess- 
ment reported directly to the Associate 
Administrator for Safety and Mission 
Assurance. 

Recommendation #1 

Maintain the true independence of the safety 
assessment function by ensuring that it reports 
outside the Space Station Program. 

Finding # 2 

The ISS Program has committed to providing 
an assured crew return capability. This will ini- 
tially be accomplished by using a combination 
of docked Space Shuttles and Soyuz capsules. 
Once the ISS is permanently and fully staffed, 
a newly designed Assured Crew Return 
Vehicle (ACRV) will be deployed. 

Recommendation #. 2 

The use of the Space Shuttle and Soyuz as an 
interim measure is an expedient. The planned 
new ACRV is definitely needed to support 
safety in the long term. The design of this per- 
manent ACRV, regardless of where and when 
it is built, should be consistent with the design 
reference missions and systems requirements 
previously defined by the ACRV Office of the 
Space Station Freedom. 

Finding #3 

The architecture of the ISS contains a Caution 
and Warning (C&W) system to detect and 
warn of malfunctions and emergencies, includ- 
ing toxic spills, depressurization and fire. The 
system makes use of laptop computers for 
localization of faults. 

Recommendation #3 

Careful consideration should be given to the 
appropriateness of using laptop computers for 


a task as time critical as localizing life-threat- 
ening emergencies. The entire fault detection 
and localization process should use dedicated 
equipment to minimize response time. 

Finding # 4 

The absence of experimental data for fire sup- 
pression effectiveness of the carbon dioxide 
extinguishers selected for use on the ISS under 
weightless conditions is a source of concern. 

Recommendation # 4 

Appropriate ground-based and in-flight 
research to confirm the suitability of the use of 
pressurized carbon dioxide fire extinguishers 
under weightlessness should be conducted. 

Finding #5 

The present procedures for monitoring or con- 
trolling hazardous materials and procedures 
used in ISS experiments are dependent on the 
experiment supplier complying with Station 
requirements and specifications. 

Recommendation # 5 

NASA should establish a positive system of 
compliance assurance modeled after the one 
used by the Space Shuttle Program. This sys- 
tem should consider the entire service life of 
the experiment and its deactivation when 
completed. 

Finding #6 

Good progress has been made in defining the 
threat from orbital debris and in demonstrating 
efficient shielding configurations. A technical 
basis for a debris protection specification for 
ISS is emerging. 

Recommendation # 6 

Continue design with emphasis on: structural 
integrity of habitable modules and pressure 
vessels; identification of the damage potential 
from direct impact and other depressurization 
events; and definition and development of 
operational procedures and policies. 


<PREC 




7 



B. SHUTTLE/MIR (PHASE ONE) PROGRAM 


Finding #1 

The Russian Androgynous Peripheral Docking 
System (APDS) for docking the Space Shuttle 
with the Mir uses 12 active hooks on the Space 
Shuttle side which mate with an equal number 
of passive hooks on the Mir. The design cur- 
rently provides no positive means of determin- 
ing whether any or all of the hooks are 
secured. NASA has decided it is an acceptable 
risk to fly the first docking mission, STS-71, 
without an indicator. 

Recommendation #7 

NASA should develop an indicator system. 
Finding #8 

If the primary system fails, the first backup 
separation system for the APDS is a set of pyro 
bolts which disengage the 12 active hooks. 


Having to rely on the pyros as presently sup- 
plied by the Russian Space Agency poses risk 
because of lack of knowledge relating to the 
pyros’ pedigree and certification. A second 
contingency demate procedure is available 
involving the Extravehicular Activity (EVA) 
removal of 96 bolts at a different interface. 
Implementing either backup method to sepa- 
rate Shuttle from Mir may leave the Mir port 
unusable for future dockings. 

Recommendation #8 

NASA should emphasize increasing the relia- 
bility of the primary mating/demating mecha- 
nisms in order to reduce the likelihood of hav- 
ing to use either of the backups. NASA should 
also obtain an acceptable certification of the 
supplied pyro bolts. Failing that, NASA should 
procure fully certified substitute bolts. 


8 



C. SPACE SHUTTLE PROGRAM 


ORBITER 

Finding #9 

Significant additional payload mass capability 
is required to meet the demands of the ISS 
assembly and supply plans. Much of the need- 
ed increase in capacity will be achieved 
through weight reduction programs on a num- 
ber of Space Shuttle elements and subsystems. 
The large number of simultaneous changes 
creates potential tracking and communication 
problems among system managers. 

Recommendation #9 

Emphasis should be placed on the adequate 
integration of all of the changes into the total 
system. 

Finding #10 

The New Gas Generator Valve Module 
(NGGVM), when certified and retrofitted to 
the fleet, should mitigate many of the prob- 
lems with the current Improved Gas Generator 
Valve Module in the Improved Auxiliary 
Power Unit (IAPU). The NGGVM develop- 
ment program is proceeding well. 

Recommendation #10 

NASA should attempt to introduce the 
NGGVM into the fleet as soon as possible as a 
safety and logistics improvement. 

Finding #11 

The decision has been made to install the 
entire Multi-Function Electronic Display 
System (MEDS) in each Orbiter during a sin- 
gle Orbiter Maintenance and Down Period 
(OMDP). An Advanced Orbiter Displays/ 
System Working Group has been formed to 
plan for the next generation of MEDS formats 
and display enhancements. 

Recommendation #11 

NASA should support the Advanced Orbiter 
Displays/System Working Group and set a 
timetable for the introduction of enhanced dis- 


play formats which will improve both safety 
and operability. It should also maintain its 
commitment to completing the MEDS installa- 
tions during a single OMDP. 

Finding #12 

The Tactical Air Control and Navigation 
(TACAN) and Microwave Scanning Beam 
Landing System (MSBLS) on-board receivers 
are obsolescent and increasingly difficult to 
maintain. The MSBLS receivers also have 
known design problems which can lead to 
erroneous guidance information if the Orbiter 
is operating with only two of the three receiver 
complement. A Global Positioning System 
(GPS) test is underway on one of the Orbiters 
using the backup flight software and computer. 
The use of GPS could replace both the 
TACAN and MSBLS systems as well as assist- 
ing ascent and on-orbit operations. 

Recommendation #12 

Given the potential of GPS to improve safety 
and reliability, reduce weight and avoid 
obsolescence and the many existing and 
potential problems with the use of TACAN 
and MSBLS, a full GPS implementation on 
the Orbiter should be accomplished as soon 
as possible. 

Finding #13 

Growth in the requirements for on-board data 
processing will continue as the Space Shuttle 
is used in support of Shuttle/Mir, ISS and other 
future missions. The length of time over 
which the General Purpose Computer and its 
software will be able to meet these growing 
needs effectively is likely inadequate. 

Recommendation #13 

NASA should expedite a long-range strategic 
hardware and software planning effort to 
identify ways to supply future computational 
needs of the Space Shuttle throughout its life- 
time. Postponing this activity invites a critical 
situation in the future. 


9 


Finding # 14 

The STS-64 mission involved a higher than 
usual level of windshield hazing which could 
have led to a situation in which the astronauts’ 
view of the landing runway was obscured. 
MSBLS and TACAN are obsolescent. There is 
also the possibility that false indications by 
MSBLS under certain scenarios could result in 
an unacceptable risk of a landing mishap. 
Thus, there is a clear need for early upgrade of 
Orbiter and support facility autoland equipment 
and crew flight rules and training improvement. 

Recommendation #14 

NASA should improve the autoland equipment 
on the Orbiter; for example, replacing MSBLS 
and TACAN with GPS. In the interim, NASA 
should ensure that operations and failure modes 
of MSBLS are fully examined and understood. 
NASA should also reexamine the training of 
crews for executing automatic landings, includ- 
ing autoland system familiarization. Astronaut 
commanders and pilots should discuss circum- 
stances which might warrant autoland use prior 
to each mission and be prepared for all reason- 
able contingencies in its operation. 

SPACE SHUTTLE 

MAIN ENGINE (SSME) 

Finding #15 

It has become necessary to execute a partial dis- 
assembly of both the engines and turbopumps 
after each flight because of the accumulation of 
special inspection requirements and service life 
limits on components of the current (Phase II) 
SSMEs. These inspections are performed with 
rigor and appropriate attention to detail. 

Recommendation #15 

In order to control risk, NASA must maintain 
the present level of strict discipline and atten- 
tion to detail in carrying out inspection and 
assembly processes to ensure the reliability and 
safety of the SSMEs even after the Block I and 
Block II upgrades are introduced. 


Finding #16 

The re-start of the Advanced Turbopump 
Program (ATP) High Pressure Fuel Turbopump 
(HPFTP) and the start of the Large Throat 
Main Combustion Chamber (LTMCC) devel- 
opments were authorized in the spring of 1994. 
Combined with the ongoing component devel- 
opments of the Block I engine, this will pro- 
duce a Block II engine which will contain all of 
the major component improvements that have 
been recommended over the past decade to 
enhance the safety and reliability of the SSME. 
Both the Block I and Block II programs have 
made excellent progress during the current year 
and are meeting their technical objectives. 

Recommendation #16 

Continue the development of the Block II 
modifications for introduction at the earliest 
possible time. 

Finding #17 

In order to provide an engine health monitor- 
ing system that can significantly enhance the 
safety of the SSME, improvements must be 
made in the reliability of the engine sensors 
and the computational capacity of the con- 
troller. It is also essential to eliminate the dif- 
ficulties with the cables and connectors of the 
Flight Accelerometer Safety Cut-Off System 
(FASCOS) so that vibration data can be 
included in the parameters used in the algo- 
rithms that determine engine health. 

Recommendation #17 

Expand and emphasize the program to improve 
engine health monitoring. Continue the pro- 
gram of sensor improvements. Vigorously 
address and solve the cable and connector 
problems that exist in FASCOS. Continue the 
development of health monitoring algorithms 
which reduce false alarms and increase the 
detectability of true failures. 

Finding #18 

The Block II SSME can improve safety if an 
abort is required because it can be operated 


10 


more confidently at a higher thrust level. This 
will permit greater flexibility in the selection 
among abort modes. 

Recommendation #18 

NASA should reexamine the relative risks of 
the various abort types given the projected 
operating characteristics of the Block II 
SSMEs. Particular emphasis should be placed 
on the possibility of eliminating or significant- 
ly reducing exposure to a Return to Launch 
Site abort. 


EXTERNAL TANK 

Finding #19 

The liquid oxygen tank aft dome gore panel 
thickness of the Super Lightweight Tank 
(SLWT) has been reduced significantly on the 
basis of analyses. To stiffen the dome, a rib 
was added. The current plan to verify the 
strength of the aft dome involves a proof test 
only to limit load. Buckling phenomena can- 
not be extrapolated with confidence between 
limit and ultimate loads. 

Recommendation #19 

The SLWT aft dome should either be tested to 
ultimate loads or its strength should be 
increased to account for the uncertainties in 
extrapolation. 

SOLID ROCKET 

BOOSTER (SRB) 

Finding #20 

The structural tests of a segment of an SRB aft 
skirt in the baseline configuration did not 
duplicate the strains and stresses previously 
measured in the tests of the full-scale aft skirt 
Structural Test Article (STA-3). This suggests 
that segment testing of the proposed bracket 
modification to improve the aft skirt’s factor of 
safety may not be valid. 


Recommendation #20 

NASA should reassess the use of the segment 
test method and reconsider the use of a full 
scale test article for qualifying the proposed 
bracket reinforcement. 

LOGISTICS AND SUPPORT 

Finding #21 

The effort by the NASA logistics organization 
and its principal contractors has resulted in sat- 
isfactory performance. There remain a few 
problems, such as a tendency towards increased 
cannibalization, which still require attention. 

Recommendation #21 

Every effort should be made to avoid cannibal- 
izations, particularly on critical components 
such as the SSME and the IAPU. 

Finding #22 

The Integrated Logistics Panel (ILP) continues 
to meet at six-month intervals, usually at the 
Kennedy Space Center (KSC) or the Marshall 
Space Flight Center. The ILP serves a valu- 
able coordinating and liaison function for the 
entire logistics operation. Its personnel com- 
plement has been reduced as part of the overall 
NASA staff cutbacks. 

Recommendation #22 

NASA should maintain support of an effective 
ILP. 

Finding #23 

There is a plan to consolidate all logistics ele- 
ments at KSC except Spacelab over the next 
three or four years. This should unify the 
entire logistics and supply organization. The 
realignments are intended to eliminate duplica- 
tion of effort, gain efficiency in support and 
materially reduce the cost of operation. 

Recommendation #23 

Proceed as outlined in the NASA plan. 


11 


D. AERONAUTICS 


Finding #. 24 

NASA has entered into a contract with the 
Tupolev Design Bureau of Russia to support 
flights of a TU-144 supersonic airplane for a 
joint U.S./Russian research program. The TU- 
144 has a questionable safety record, and the 
particular airplane to be used has not been 
flown for a number of years. The level ot 
assurance available for this flight project may 
not be equivalent to that typically associated 
with NASA's flight research programs. 

Recommendation # 24 

NASA should assure that all design and safety 
data and operational characteristics of this 
vehicle have been fully explored. 

Finding # 25 

Wind shear encounters, while infrequent, con- 
stitute a highly significant aviation hazard that 
has been a causal factor in major crashes. A 
joint NASA/Federal Aviation Administration 
(FAA) Airborne Wind Shear Sensor Program 
has developed methods, already being imple- 
mented, for providing timely warning to air- 
craft in danger of encountering such atmos- 
pheric conditions. 


Recommendation #25 

Continue research relating to wind shear and 
other aircraft-threatening phenomena, such as 
wake vortices, and the transfer of related tech- 
nologies to users. 

Finding #26 

NASA has a coordinated program of tire 
research operating from the Langley Research 
and Dryden Flight Research Centers. This 
program has the capability to provide signifi- 
cant safety improvements tor present and 
future aircraft and spacecraft. 

Recommendation #26 

In addition to supporting the Space Shuttle and 
other research programs such as the High 
Speed Civil Transport, NASA should continue 
to emphasize and transfer lessons learned in 
the tire research effort to all segments of the 
user community. 

Finding #27 

The Dryden Flight Research Center (DFRC) 
has completed a demonstration of the concept 
of a Propulsion Controlled Aircraft (PC A) sys- 
tem using an F-15 aircraft flight test and an 



12 



MD-11 simulator demonstration. This system 
permits an aircraft to be guided to a landing in 
an emergency using only thrust for flight path 
control. DFRC is now exploring a joint pro- 
gram with industry to extend the demonstra- 
tion to a flight test on a large commercial air- 
craft. Although the PCA concept has been 
proved, the pilot control interface aspects of 
the design have yet to be systematically 
addressed. 

Recommendation #27 

Any flight test program on a large commercial 
aircraft should include a strong focus on 
selecting the optimum pilot control interface 
for the system. 


Finding #28 

The range safety policy for Unmanned Aerial 
Vehicle (UAV) operations within the Edwards 
Air Force Base range worked when the 
Perseus Program suffered an in-flight failure. 
Range safety for Perseus flights outside of the 
restricted Edwards airspace has yet to be 
addressed. 

Recommendation #28 

Consideration should now be given to estab- 
lishing a UAV policy to cover Perseus flights 
conducted outside of controlled airspace at 
Edwards. 





E. OTHER 


Finding #29 

The Simplified Aid for EVA Rescue (SAFER) 
was successfully flight tested on the STS-64 
mission. Although designed as a rescue 
device for an astronaut who becomes unteth- 
ered, SAFER has demonstrated its potential 
to assist in other safety-critical situations 
such as contingency EVAs. Five SAFER 
flight units have been ordered. Plans are to 
deploy them on Mir and Space Station as well 
as to carry them on the Space Shuttle only 
when an EVA is planned. 

Recommendation #29 

Once the flight units are available, NASA 
should consider routinely flying SAFER units 
on all Space Shuttle missions which do not 
have severe weight limitations. This will per- 
mit them to be used for those contingency 
EVAs in which safety can be improved by 
giving crew members the capability to trans- 
late to the location of a problem to make an 
inspection or effect a repair. 

Finding #30 

NASA has established a Software Process 
Action Team (SPAT) to review and develop 
plans for addressing the software concerns 
that have been raised within NASA and by 
several review boards including the National 
Research Council and the Aerospace Safety 
Advisory Panel. While NASA has extensive 
procedures for addressing software issues in 
some arenas, these issues have not received 
uniform recognition of their importance 
throughout the agency. 

Recommendation #30 

NASA should ensure that computer software 
issues are given high priority throughout the 
agency and that those addressing these issues 
are given the support needed to produce ade- 
quate ways of dealing with them. The creation 
of the SPAT was an important initial step 
toward dealing with complex safety critical 
problems, but much more needs to be done. 


Finding #31 

There were several in-flight and ground-based 
episodes in which astronauts developed 
adverse reactions to substances used in human 
experiments. Although the researchers guid- 
ing these experiments submit their protocols 
to a standard Institutional Review Board 
(IRB) process, there is no independent over- 
sight of the safety of human experiments 
within NASA. 

Recommendation #31 

NASA should provide independent oversight 
of human experimentation by establishing a 
review process in addition to the standard 
IRB and ensuring that the Space Shuttle and 
Space Station systems requirements provide 
sufficient equipment, staffing and training to 
react appropriately to any problems which 
might be experienced. 

Finding #32 

The number of reports submitted to the 
Aviation Safety Reporting System (ASRS) 
has nearly doubled since 1988 and has consis- 
tently been above the levels projected when 
the system was started. In these same years, 
budgetary resources have remained flat so 
that, even with significant productivity 
increases, the portion of incidents that receive 
detailed analysis has declined. In addition, 
ASRS has not been able to develop cost- 
effective electronic dissemination of advi- 
sories or a program of educational outreach to 
expand use of ASRS by the aviation commu- 
nity, both of which would be significant safe- 
ty enhancements. 

Recommendation #32 

NASA and the FAA should restore the full 
capability of analysis, interpretation, and dis- 
semination of the ASRS and promote 
electronic dissemination and expanded educa- 
tional outreach. 


14 



Finding # 33 

For many years, NACA and NASA aeronauti- 
cal research and flight safety benefitted from 
the advice and counsel provided by an advi- 
sory group of aircraft operations specialists 
consisting of representatives from civil and 
military aviation and manufacturers of air- 
craft, engines and accessories as well as 
NACA/NASA personnel. 

Recommendation #33 

NASA should restore the previous capacity to 


capture the operational experience it found 
useful in improving its research focus and 
flight safety. 

Finding #34 

Total Quality Management (TQM) is an 
established philosophy within NASA and 
among its principal contractors, and imple- 
mentations continue to improve. 

Recommendation #34 

None. 


15 




III. INFORMATION IN SUPPORT OF FINDINGS 
AND RECOMMENDATIONS 






Ml. INFORMATION IN SUPPORT OF 
FINDINGS AND RECOMMENDATIONS 

A. SPACE STATION PROGRAM 


Ref: Finding #1 

The initial organization of the International 
Space Station (ISS) as presented to the Panel at 
the Johnson Space Center (JSC) placed the 
independent safety assessment function under 
the program manager. In actual fact, an inde- 
pendent assessment function can only be truly 
independent if the director of that function is 
established on the same organizational level as 
the program manager. In that way, any dispute 
automatically elevates to the next higher level 
(Associate Administrator) for resolution. 

After this was brought to the attention of 
NASA management, the organizational struc- 
ture was changed so that the head of indepen- 
dent assessment reported directly to the 
Associate Administrator for Safety and 
Mission Assurance (S&MA). This provides 
true independence for this critical function. 

Ref: Finding #2 

The Space Station Freedom (SSF) Program 
formed an Assured Crew Return Vehicle 
(ACRV) office to examine requirements for a 
dedicated spacecraft to return the crew from an 
orbiting space station in the event of an emer- 
gency. Three Design Reference Missions 
(DRMs) were identified including a medical 
emergency, an evacuation due to the loss of hab- 
itability of the station and a lapse in Space 
Shuttle logistics support. These DRMs were 
used to develop a set of performance require- 
ments for an ACRV to be deployed on the Space 
Station Freedom when permanently crewed. 

The International Space Station is a different 
design from SSF. Nevertheless, the DRMs 
remain valid as they were generic to any 
crewed orbiting platform serviced by launch 
vehicles from the earth. Likewise, the ACRV 
system requirements generated from the 
DRMs also offer valid guidance for any ACRV 
to be built in support of ISS. 

At present, NASA has made the decision to 
support initial crew return efforts with a mix- 


ture of docked Orbiters and Soyuz capsules. 
This interim approach does not fully meet the 
previously defined requirements for an ACRV. 
For example, a single Soyuz cannot accommo- 
date the complement of a fully staffed station 
and has only about a six month service life on 
orbit. Nevertheless, this appears to be a reason- 
able compromise as an expedient. The long- 
range NASA plan is to deploy a newly 
designed ACRV in approximately the year 
2002 when the ISS is completed and fully 
staffed. This vehicle, which may be U.S. built 
or supplied by one of the international partners, 
is vitally important for safety. Regardless of 
where it is built, its design should adhere to the 
systems requirements developed for the SSF 
ACRV. These requirements are complete and 
appear fully applicable as a starting point for 
any new ACRV. Also, in order to be available 
by the target date, a commitment to starting this 
vehicle must be made in the near future. 

Ref: Findings #3 and #4 

The ISS design includes systems and proce- 
dures to warn of, localize and react to a variety 
of malfunctions and emergencies that may 
occur during Station operation. The heart of 
these provisions is the Caution and Warning 
(C&W) system. This system consists of sen- 
sors distributed throughout the station which 
are designed to detect such things as tempera- 
tures, pressures and the presence of particulate 
matter within both racks and the general areas 
of the modules. Signals from the sensors are 
sent to a Multiplexer/Demultiplexer (MDM) 
which, acting as a data processor, discrimi- 
nates between normal and abnormal condi- 
tions. The results of these analyses are sent to 
a set of redundant “command and control” 
MDMs via a digital data bus. These MDMs 
are, in turn, programmed to determine the 
nature and level of caution or warning to be 
issued. The resulting signals are sent to other 
MDMs which drive an annunciator panel in 
each of the five modules of the Station as well 
as to associated audio systems which sound 
alarms as required. The panels contain five 


i!\ 


;,ct 


t i t. 


:u?-rp 


19 



lights, three of which are programmed to indi- 
cate a specific type of emergency: fire, toxic 
environment and depressurization, but not the 
location of the emergency. In the present 
design, localization must be accomplished by 
connecting a laptop computer (via a computer 
port at the panel) programmed to be able to 
query the system as to the location and nature 
of the problem. 

The layout of the system is reasonably straight- 
forward and is independent of the Station’s 
Data Management System. The fact that the 
laptop is apparently not dedicated to the fault 
localization process is a source of concern. 
Certainly, the time lost in making the computer 
connection and running the program would 
appear to be a waste of a precious commodity 
in an emergency. Also, all software used in any 
laptop on ISS must be configuration controlled 
and subjected to appropriate levels of 
Independent Verification and Validation. 

Active attention is being paid to the possibili- 
ty of a toxic spill in the station. Every 
precaution is to be taken in the design of 
containers for and in the handling of toxic 
substances; requirements for these safety 
aspects have been developed and documented 
and are to be levied on all users. Contingency 
procedures are being developed in the event 
of a spill and are to be part of the training 
program for crew members. 

The possibility of fire in the Station is always 
present, and combustion detectors are among 
the sensors in the caution and warning system. 
Research into combustion phenomena under 
weightless conditions has been conducted for a 
number of years, and the processes are reason- 
ably well understood. At this time the Station 
has selected hand-held pressurized carbon 
dioxide extinguishers for fire suppression. 
These are to be used after air circulation within 
a rack, for example, has been stopped. There 
are, however, no experimental data on the 
effectiveness of such extinguishers in the envi- 


ronment of the Station. Experiments should be 
devised for both ground and flight tests to veri- 
fy the effectiveness of this fire suppression 
technique. These can be relatively simple and 
straightforward with the sole objective of veri- 
fying the suppression capability of carbon 
dioxide in weightless conditions. 

Ref: Finding #5 

The Space Station’s major reason for existence 
is to provide a platform for experimentation in 
space. As such, there will be great emphasis 
on obtaining experiments from diverse 
sources. These will likely include the aero- 
space industry, which is intimately familiar 
with the unforgiving nature and limitations of 
space, as well as sources which may or may 
not have any concept of the criticality of strict 
compliance with the requirements involved. 
NASA will make a grave error if inadequate 
means are provided to inspect and monitor the 
payload/experiment supplier. The Space 
Shuttle and some of its major payloads, such 
as Spacelab, already have excellent programs 
for specifying requirements and verifying 
compliance. These existing programs can 
serve as models for a similar ISS system. 

Ref: Finding #6 

Progress has been made this year in several 
areas related to the hazard to the ISS from 
orbital debris. A new assessment of the debris 
environment at ISS orbital altitude has led to a 
revised specification of the flux levels to be 
used for design. This specification is in the 
process of approval by both U.S. and Russian 
participants. 

Several “campaigns” have been carried out this 
year to measure the flux of debris in Low 
Earth Orbit (LEO). The Haystack radar and 
other radars and optical sensors based at sever- 
al latitudes have been employed to amass sta- 
tistical data on the flux of particles 1 cm in 
diameter and larger in LEO. In addition, good 
data were obtained by launching calibration 
spheres in the Orbital Debris Radar Calibration 


20 



Spheres (ODERACS) experiment deployed 
from STS 60 in February 1994 and tracking 
them until they decayed from orbit. This 
experiment improved the ability to assess par- 
ticle size on the order of 30%. Further experi- 
ments are planned for the near future to refine 
these figures and to introduce dipoles to better 
calibrate the radars in all polarizations. The 
overall result has been that the measured 
debris environment appears to be a factor of 
two lower at ISS altitudes (350-500 km) and 
somewhat higher near the 1 ,000 km altitude 
than in previously published NASA models. 

The approach to evaluating probability of criti- 
cal impact has been modified to account sepa- 
rately for each of the inhabited modules and to 
take notice of the reduced (compared to SSF) 
projected area of the current design and 
revised flux levels. These changes bring the 
“Probability of No Critical Penetration” to 
near acceptable levels. 

NASA carried out a series of tests in the 
Spring of 1994 firing projectiles at hypersonic 
velocities (11.0 to 11.5km/sec) into shield 


samples. The results of this program have led 
to the decision that the “Stuffed Whipple 
Shield” will be the standard for ISS. The 
Stuffed Whipple Shield is a standard Whipple 
shield, a thin metal plate mounted on stand- 
offs in front of the protected surface, modified 
by inserting a layer of Nextel AF62 and Kevlar 
midway between the plate and the surface. 
Such a shield proves to be superior, with 
respect to mass versus penetration damage, to 
an alternate design incorporating additional 
aluminum plates. This approach seems 
promising for protecting the ISS within mass 
constraints. 

Protection of the ISS from debris must be con- 
sidered as an overall system composed of 
understanding of the environment, external and 
internal shielding, a comprehensive avoidance 
system, and operational procedures to mini- 
mize the likelihood of impact as well as to 
react to penetration damage and possible 
depressurization. Such a design is being pro- 
posed, but it is still in the early stages of for- 
mulation, particularly with respect to the active 
avoidance system and operational procedures. 


21 



B. SHUTTLE/MIR (PHASE ONE) PROGRAM 


Ref: Findings #7 and #8 

The Androgynous Peripheral Docking System 
(APDS) joins the Space Shuttle and Mir using 
1 2 active hooks on the Orbiter side that engage 
12 passive hooks on the Mir side. It is not cur- 
rently known how many latched hooks are 
required for sate docking security. The best 
that can be said is that the number is equal to 
or less than 12 but more than zero. The hooks 
operate in two sets of six each. One of the 
hooks in each set is activated directly by a 
motor which also drives a cable control assem- 
bly to actuate the other five hooks in the set. 
In order to release the orbiter from the Mir. the 
motors have to counter-rotate to disengage the 
active hooks. Any single failure in the system 
can result in one or more hooks not engaging 
or disengaging as commanded. The system 
design makes no provision to advise the fight 
crew or ground control of the status ot each 


hook, and therefore a positive docking or 
undocking indication is absent. NASA should 
implement an indicator system as soon as pos- 
sible to eliminate this risk. 

The first backup separation system for the 
APDS is a set of pyro bolts which disengage 
the 12 active hooks on the Orbiter side if they 
fail to retract. Having to rely on the pyros as 
presently supplied by the Russian Space 
Agency poses risk because of lack of knowl- 
edge relating to the pyros’ pedigree and certifi- 
cation. A second contingency demate proce- 
dure is available involving removal of 96 bolts 
at a different interface by Extravehicular 
Activity (EVA) if the pyros do not function. In 
the event that either the pyro or the EVA plan 
to separate Shuttle-Mir must be used, its 
implementation may leave the Mir port unus- 
able for future dockings. 



22 



C. SPACE SHUTTLE PROGRAM 


ORBITER 

Ref: Finding #9 

In order to assemble the Space Station at its 
51.6 degree inclination, an additional 13,000- 
15,000 pounds of Space Shuttle payload capa- 
bility will be required for most assembly 
flights. The additional capacity is to be pro- 
vided by a combination of weight reductions 
and ascent performance enhancements. 

NASA has begun to analyze the thermal and 
structural loads environments for the Orbiter 
after the defined enhancements are incorporat- 
ed and expects to complete the analyses in 
August 1995. The situation is, of course, 
dynamic and highly interactive. The large 
number of simultaneous changes creates 
potential tracking and communication prob- 
lems among system managers. Emphasis must 
therefore continue to be placed on the adequate 
integration of all of the changes into the total 
system. 

Ref: Finding #10 

The New Gas Generator Valve Module 
(NGGVM) development program for the 
Improved Auxiliary Power Unit (IAPU) is on 
target for commencing fleet retrofit towards 
the end of 1 996. The NGGVM design effec- 
tively eliminates many of the design deficien- 
cies and Criticality 1 failure modes associated 
with the Improved Gas Generator Valve 
Module (IGGVM) which is now flying. In par- 
ticular, the NGGVM: eliminates many welds 
and those remaining are inspectable; is 
designed to eliminate seat cracking problems; 
and has eliminated thin wall hydrazine barri- 
ers. The NGGVM design employs a spring- 
loaded metal-to-metal seat/poppet configura- 
tion for the pulse control valve which will 
reduce the safety concerns associated with seat 
exposure to hydrazine. 

The NGGVM Design Acceptance Review was 
successfully completed in late July 1994. Pre- 
qualification testing is scheduled to begin in 


the second quarter of 1995 and conclude with 
a Design Review in the fall of 1995. Long 
lead time items of qualification hardware will 
be started while pre-qualification is still under- 
way (late 1995). Fabrication of qualification 
and production units will start in parallel at the 
beginning of 1996 to support commencing 
fleet retrofit late in that year. 

The NGGVM test plan has been greatly trun- 
cated based on recommendations of an expert 
team. The reduction from the originally 
planned 375 hours of testing to only 98 hours 
will save cost and time. The rationale for this 
reduction appears sound and consistent with a 
safe level of operations. 

The program has examined three alternative 
plans for introducing the NGGVM into the 
fleet. The first strives for the earliest possible 
incorporation. It would have all APUs upgrad- 
ed to the NGGVM by roughly the end of 1 997. 
The second plan is attrition-based and would 
only upgrade the valve in an APU when the 
unit was already scheduled for overhaul. This 
would delay complete fleet introduction until 
approximately the year 2000. The third plan, 
which is the present plan for introduction, is 
opportunity-based. The ground rule of this 
plan is to maintain a predetermined minimum 
Kennedy Space Center (KSC) stock level of 
spare IAPUs during the modification cycle to 
support any unplanned removals. Any 
removed IAPUs not needed to support the 
minimum stock level will be shipped to the 
manufacturer for the NGGVM upgrade. 
Under this plan, NASA indicates that the 
NGGVM modifications can be completed in 
late 1998 or early 1999. 

The problem with the earliest possible incor- 
poration plan is that it must appropriate flight 
assets from the KSC. The projected result, 
assuming no unplanned removals, is that there 
will be fewer than a shipset of spares on hand 
at KSC for virtually all of 1997 and one quar- 
ter of 1998. In fact, for two quarters of 1997 a 


23 


position of zero spares is projected. The low 
spares count means that any unplanned 
removals could force cannibalization to keep 
the fleet flying. This is a highly undesirable 
situation which mitigates against adopting the 
earliest possible introduction plan. Including 
the IAPUs on whichever vehicle is undergoing 
its Orbiter Maintenance and Down Period 
(OMDP) at Palmdale in the spares count pro- 
vides only minimal relief for this problem. 

The attrition-based plan delays introduction 
and hence the availability of an important safe- 
ty and logistics improvement. The opportuni- 
ty-based plan, while a compromise, may still 
be associated with an unacceptably high 
chance of the need for cannibalizations to sup- 
port flight. 

There is a possible way to reduce or eliminate 
the potential for cannibalizations with the 
earliest possible or opportunity-based intro- 
duction plans at an additional cost. There are 
four baseline APUs in storage which were not 
upgraded to IAPUs with the balance of the 
units. The program assets include spare IAPU 
components sufficient to upgrade three of 
these baseline units to IAPUs, although this 
would significantly reduce the parts inventory. 
If a timely commitment for this conversion is 
made, the additional IAPUs would be avail- 
able to support NGGVM introduction. 
Although this would not move up the comple- 
tion date for either plan, it would ensure that 
at least a full shipset of spare IAPUs was 
available at all times. 

Given the manufacturing problems with the 
IAPU which surfaced during 1994 and the 
extent of hands-on labor needed to keep them 
flying, NASA should carefully consider all of 
the facets of the adopted NGGVM introduc- 
tion plan and give appropriate emphasis to the 
avoidance of possible cannibalizations or the 
need for unplanned IAPU removals from 
Orbiters during their OMDP. 


Ref: Finding #11 

A Multi-Function Electronic Display System 
(MEDS) with enhanced quality and functional- 
ity of displays has great potential to reduce 
workload, improve crew response time, reduce 
crew training requirements and provide the 
crew with better information for both normal 
and contingency operations. These capabilities 
could be extremely important for the safety of 
proximity operations with Mir or the Space 
Station. They will also be invaluable in the 
event of an abort situation. 

The initial plan was to install the foundation 
for the MEDS during an OMDP and to com- 
plete the installation during normal flows at 
KSC. In addition, the displays on the initial 
MEDS implementation were to emulate the 
existing electro-mechanical devices in both 
format and information content. Both of these 
decisions delayed achieving the full safety and 
operational benefits of which the MEDS is 
capable. The Shuttle Training Aircraft and 
training simulators are also to be upgraded to a 
MEDS configuration. 

The Space Shuttle Program has now decided to 
install the entire MEDS system during a single 
OMDP. Under this plan, an Orbiter will arrive 
in Palmdale with conventional instruments and 
leave with a full ' glass cockpit installation. 
This represents a significant improvement in 
the installation strategy and eliminates a myri- 
ad of problems associated with a two-step tran- 
sition. It has also been decided to depart some- 
what from a strict emulation of the old dis- 
plays, although a fully developed MEDS for- 
mat has been deferred until a later geneiation 
of the system. 

NASA has committed to a future phase of 
Orbiter displays-and-controls update activities 
in order to achieve a state-of-the-art system. 
This effort should include both enhancements 
to the display formats themselves and the 
quantity and nature of information presented. 


24 


Display format improvements for the existing 
set of displayed information can be achieved 
within the programming of the MEDS itself. 
Changes in the type of information presented 
will require modifications to the General 
Purpose Computer software. An Advanced 
Orbiter Displays/System Working Group has 
been formed to plan for the next generation of 
MEDS formats. This group has a limited 
budget and no firm deadlines. Given the 
potential benefits from a fully-enhanced 
MEDS, it would seem best for NASA to plan 
a firm schedule for MEDS upgrades and to 
support the working group to the maximum 
extent possible. 

Ref: Finding #12 

The full Microwave Scanning Beam Landing 
System (MSBLS) installation on the Orbiter 
includes three receivers, although only two 
must be operating in order to launch. When 
one of the three receivers fails to provide a 
correct output, it is taken off-line. This first 
failure is easy to identify when all three are 
on-line since the failure logically takes place 
in the receiver with a signal that differs from 
the other two or, if a logic flag within the 
receiver identifies a fault in that unit. 

With only two receivers on-line, certain fail- 
ures may be identified by a flag or by the 
Orbiter's on-board computer logic, but the 
probability of any failure being detected is 
not very high. With the current Orbiter sys- 
tem installation the two remaining receiver 
outputs are averaged and this signal is used as 
a navigation input during the final approach, 
flare and landing. If one of the two receivers 
fails during this time, the averaged output 
will obviously change and the MSBLS output 
will be in error. Flying with only two 
MSBLS receivers would be adequate for mis- 
sion success provided that the flying pilot can 
visually monitor the final approach and land- 
ing to determine if the remaining MSBLS 
receivers are providing accurate guidance 
information. 


The Global Positioning System (GPS) could 
avoid the above deficiencies and thus enhance 
the operational performance and safety of the 
Orbiter. There are two distinct aspects of con- 
sidering GPS as a replacement for MSBLS. 
First, MSBLS is not only obsolescent but also 
possibly could become a safety issue because 
of the great difficulty in maintaining very old 
electronic airborne units. Second, there is the 
considerable expense involved in maintaining 
a network of MSBLS ground stations at all 
landing and primary abort sites. The ability of 
the Orbiter to navigate independently for 
approach and landing using GPS could also 
significantly increase the number of contin- 
gency abort sites available. 

The Federal Aviation Administration (FAA) has 
already announced that GPS may soon be used 
as the sole navigation source by the airlines. 
Non-precision approaches using only GPS 
have already been approved, and precision 
approaches will almost certainly follow soon. 

The issue of MSBLS seems abundantly clear. 
The performance and safety enhancements that 
GPS can offer to Orbiter performance in 
ascent, aborts, on-orbit operations and 
approach and landing warrants its installation 
as soon as possible. 

Ref: Finding #13 

Throughout the history of the Space Shuttle 
program, there has been a continuing demand 
for upgrades to the functionality achieved with 
the on-board General Purpose Computer 
(GPC) system. This increase in functionality 
has been achieved through upgrades to the 
GPC software with the exception of a single 
GPC hardware upgrade which took over eight 
years to implement. Almost every flight sees 
some level of software change, and at some- 
what larger intervals, major upgrades to the 
software take place. There has been a general 
tendency for the memory and processor 
requirements to grow during this continual 
software upgrade process. 


25 



As early as 1983, NASA recognized the need 
to upsirade the computational capabilities in 
the GPC hardware, and began a program to 
replace the original processors and memory. 

In 1991. NASA began use of the “new” GPC. 
However, the new GPC achieved considerably 
less additional memory usable for active flight 
control software than originally expected due, 
in part, to the non-modular arrangement of the 
Space Shuttle software. 

Upgrades to the Space Shuttle software contin- 
uc "but at a slower rate than before. There are 
concerns within NASA that important safety- 
related software upgrades are being postponed 
because of the complexity associated with 
changing the non-modular software. 
Moreover, at some point, the new GPC memo- 
ry will be filled, making further upgrades 
much more difficult, or, perhaps, even impossi- 
ble. Little analysis has been conducted on the 
long term impact of continuing demands for 
performance improvements and the ultimate 
limits of the current processors. 

Attention to date on computer related function- 
ality has been largely focussed on the GPCs 
and their memory. However, other avionics 
components, such as the MDMs, are also grow- 
ing older, with an attendant concern over main- 
tainability. Concerns have been expressed over 
how much longer they can be used. 

While the situation with respect to the Space 
Shuttle computer and avionics systems has not 
become critical, there are at least two major 
concerns. First, the GPC is gradually 
approaching saturation. Second, the time 
required tor any major upgrade in 
computer/avionics hardware or redevelopment 
of the basic flight software is very long, on the 
order of a decade. Therefore, NASA should 
begin a long range strategic hardware and soft- 
ware planning effort on ways to supply future 
computational needs of the Space Shuttle 
throughout its lifetime. Postponing this activi- 
ty invites a critical situation in the future. 


Ref: Finding #14 

The ASAP has long advocated that more atten- 
tion be paid to the existing autoland function 
on the Orbiter. At present, the capability exists 
and crews are aware of it. They do not, how- 
ever, train for executing an autoland. They 
also do not engage in a formal process to 
examine topics related to autoland engagement 
and disengagement. These topics would 
include such things as conditions under which 
an autoland was the preferred mode and how 
and when a manual takeover should be accom- 
plished if necessary during an automatic land- 
ing. The Panel is simply proposing that crews 
receive a reasonable level of training and sys- 
tem familiarity so that autoland becomes a true 
contingency possibility rather than a capability 
with a remote chance of being used even it 
needed. NASA should also improve the 
autoland equipment on the Orbiter; for exam- 
ple, replacing MSBLS and TACAN with GPS. 


SPACE SHUTTLE . 

MAIN ENGINE (SSME) 

Ref: Findings #15 through #17 
PHASE II ENGINE: The current SSME sys- 
tems (“Phase II”) have performed well in flight 
during the past year. However, a number of 
new and/or heightened concerns have arisen. 
Among them is an increased incidence and 
severity of “sheetmetal” cracks (or peeling) in 
the High Pressure Fuel Turbopump (HPFTP) 
turn-around and inlet ducts. This has resulted 
in the need for increased inspections to tighter 
limits as well as redesign of the sheetmetal of 
the inlet duct including a change in its manu- 
facturing technique. It was also discovered 
that the turning vanes in the High Pressure 
Oxygen Turbopump (HPOTP) preburner 
volute diffuser had undersized (out of specifi- 
cation) fillet radii, a condition that enhances 
the probability of fatigue failure. This has 
resulted in a Deviation Approval Request 
(DAR) being issued limiting the number of 
turbopump starts and runs between removals 


26 


for refurbishing. All told, as a result of the 
accumulation of DARs, it is now necessary to 
remove and at least partially disassemble the 
engine and turbopumps after each flight. The 
continuing need for additional special inspec- 
tions and service time limits confirms the 
validity of the decision to commit to the major 
engine improvements that have been under- 
taken the Blocks I & II programs discussed 
later in this section. 

There was a launch abort caused by a violation 
of the start limit for the HPOTP turbine 
exhaust temperature ( 1 ,560 degrees F) on an 
engine during the initial launch attempt for the 
STS-68 mission. The control system per- 
formed as designed during this abort and shut 
down all three SSMEs prior to solid rocket 
motor ignition. A thorough investigation of 
the incident led to the conclusion that there 
had been a concatenation of a number of fac- 
tors, none of which individually would have 
caused the over-temperature, that led to the 
shutdown. These factors included, among oth- 
ers, a Main Combustion Chamber (MCC) that 
had above normal leakage and a flowmeter that 
exhibited a calibration shift during its first 
acceptance test but performed normally there- 
after. The engine containing the pump that 
caused the shutdown was removed from the 
vehicle and sent to the Stennis Space Center 
for test firing. Care was taken to ensure that 
there were no changes in its configuration. 
The engine performed normally in the test. A 
review of the methodology used to set the start 
and flight redlines is continuing. 

Sensor failures continue to be a problem. 
They are mitigated somewhat by the use of 
redundant instruments and controller logic. 
Some actions have been taken to improve the 
reliability of the current sensors. For example, 
new pressure sensor inspection techniques are 
being employed to help detect and eliminate 
particulate contamination. Flux contamination 
of the cryogenic temperature transducers is 
being eliminated by changes in manufacturing 


and inspection techniques and sequences. Hot 
gas temperature transducers using thermistors 
as the principal sensor will be replaced by a 
more rugged thermocouple-based sensor. 

BLOCK I ENGINE: The Block I engine 
improvement program is proceeding very well. 
The Block I engine includes the new two-duct 
powerhead, the single tube heat exchanger and 
the Advanced Turbopump Program (ATP) 
HPOTP. The first two of these major changes 
have flawlessly completed certification tests. 
The first unit of the ATP HPOTP has completed 
initial certification testing accumulating 10,000 
seconds of run time in 22 test runs and is into 
its second series. These tests included consid- 
erable time at 109% thrust as well as a margin 
demonstration at 111%. The unit was disas- 
sembled after these tests and only minor wear 
was observed. The turbine blades and the sili- 
con-nitride ball bearings were in excellent con- 
dition and can be re-used. One roller in the 
roller bearing had slight wear indicating con- 
tact with the end rail of the bearing — a minor 
problem. There was some delamination of the 
honeycomb structures that serve as part of the 
labyrinth seals between stages of the turbine. 
No performance degradation was observed and 
the phenomenon poses no danger to the 
machine. This wear can be remedied by minor 
design changes. The second HPOTP unit had 
completed its first series of tests and has accu- 
mulated 10,000 seconds of run time without 
any problems as of the time of this writin° 

c ' 

As part of the HPOTP program it was neces- 
sary, for proper matching of the boost and 
main pumps in the oxygen system, to redesign 
the angle of the inducer blade of the Low 
Pressure Oxygen Turbopump (LPOTP) that 
feeds the HPOTP. This change is straightfor- 
ward and was achieved without difficulty. 
While this was being done, the current (Phase 
II) LPOTP began to exhibit excessive ball wear 
in its thrust bearing. The solution adopted for 
the new LPOTP is to employ silicon-nitride 
balls in this bearing. Serendipitously, these 


27 


balls are the same size as those employed in 
the HPOTP making the change simple to 
implement. 

In total, the Block I engine development and 
certification is proceeding well and is on 
schedule for its planned introduction into the 
fleet in the first half of 1995. 

BLOCK II ENGINE: This engine version 
comprising the Block I changes plus the Large 
Throat Main Combustion Chamber (LTMCC) 
and the ATP HPFTP is also proceeding well. 
Go-ahead for the re-start of the HPFTP and the 
start of the LTMCC development was given in 
the spring of 1994 thereby completing the 
scope of the program of major component re- 
design and development that had been recom- 
mended for over a decade. The LTMCC, 
which is considered by many to be the most 
significant safety improvement in the SSME, is 
ahead of its manufacturing plan, and a develop- 
ment unit has been shipped for test. A develop- 
ment unit of the HPFTP has also been assem- 
bled using parts that had been made before the 
activity was put on a stop-work status. At the 
time of this writing, a complete Block II devel- 
opment engine had been assembled and a full 
duration test run (including operation at 109%) 
had been completed. The preliminary data 
review from this test showed that the perfor- 
mance objectives predicted were achieved and 
that there were no systems integration problems 
evident. The first “final” configuration HPFTP 
is scheduled for delivery in the spring of 1995. 
The limiting factor in the delivery schedule is 
the time to develop and produce an improved 
fine-grain casting that should eliminate some 
cracking that had occurred in the earlier 
version. Other changes such as decreasing the 
turbine flow area by increasing the number of 
turbine nozzle vanes are to be delivered with 
adequate lead time. The increase in the number 
of turbine nozzle vanes also detunes the excita- 
tion of the first stage turbine blades and should 
preclude the cracking experienced at the trail- 
ing edge of the blade tip. 


HEALTH MONITORING: As noted in last 
year’s report, it would be advantageous to 
develop the engine controller and associated 
software and sensors into a true and more 
effective “health monitoring system.” Such a 
system would ideally reduce both the probabil- 
ity of shutting down a healthy engine and the 
probability of failing to detect an engine mal- 
function in a timely manner. Improved health 
monitoring would reduce the risk involved in 
engine operation. To accomplish this requires 
not only development of suitable algorithms 
but also improvement of the reliability of sen- 
sors and increasing the computational capacity 
of the controller. The improvement of sensors 
was discussed earlier in this section. 
Regarding the controller, during the past year 
it was found that it was subject to “single event 
upsets” due to cosmic ray strikes either during 
flight or on the ground. This eventuality was 
believed so remote during controller design 
that “radiation hardened” solid state electronic 
devices were not selected. It would be advis- 
able to substitute such hardened devices for 
existing hardware to reduce risk. While this is 
being accomplished, it appears possible simul- 
taneously to increase computational speed by 
adding a co-processor. This would permit the 
controller to perform the added functions 
required for improved health monitoring with- 
out a major redesign and re-manufacture. 

Studies have been conducted to define the 
algorithms that would be needed to enhance 
engine health monitoring. It was found, that 
with the current complement of sensors (i.e., 
pressure, temperature, valve position, and 
speed) and computational power it was not 
possible to effect any significant improvement 
in the health monitoring function effectiveness. 
It was determined that if engine vibration were 
added to the inputs to the system along with 
the previously mentioned co-processor, signifi- 
cant improvements could be made as parame- 
ters of this type can give early warning of 
severe malfunction. Accelerometers measur- 
ing these variables already exist on each 


28 



engine in the Flight Accelerometer Safety Cut- 
Off System (FASCOS). The instruments 
themselves appear to have requisite reliability, 
but cables and connectors that transmit their 
signals do not. Their reliability is so low that 
the information transmitted cannot be trusted. 
Correcting these problems should be pursued 
and, when successful, the development of a 
modern health monitoring system (similar to 
those employed in jet aircraft) should be 
undertaken. 

Ref: Finding #18 

Space Shuttle operations planning includes 
provisions for a variety of aborted flight situa- 
tions in the event of the failure of one or more 
SSMEs. The particular abort mode to be 
flown is dependent on the number and timing 
of SSME failures. Loss of a single SSME 
leads to one of a series of abort modes known 
as intact aborts. The first of these is the Return 
to Launch Site (RTLS) abort. It results from 
the early shutdown of an engine which yields a 
trajectory without sufficient energy to reach 
even a Transoceanic Abort Landing (TAL) site. 
RTLS is currently the only intact abort possi- 
ble with a single engine failure in approxi- 
mately the first 160-175 seconds of flight. 

If a main engine is lost in the middle of pow- 
ered flight (from approximately 175 seconds to 
300 seconds), the Space Shuttle can fly to a 
TAL site at Ben Guerir, Morocco; Moron, 
Spain; or Banjul, The Gambia. The powered 
flight, external tank separation and entry pro- 
files of the TAL more closely approximate the 
normal flight profile than do the unusual flight 
path and maneuvers of RTLS. 

When sufficient energy is achieved, the Space 
Shuttle has the capability to abort by flying 
once around the earth and landing at 
Edwards Air Force Base, White Sands Space 
Harbor or the Shuttle Landing Facility 
(SLF) at KSC. This is known as an Abort- 
Once-Around (AOA). 


The loss of SSME thrust late in the trajectory 
still permits the Space Shuttle to Abort-to- 
Orbit (ATO) at a minimum altitude of 105 nau- 
tical miles. The mission can then be continued 
or terminated normally " with a deorbit burn 
and landing. 

Loss of two SSMEs results in a contingency 
abort situation. This can require the Space 
Shuttle to land at a contingency landing site 
or necessitate a bail-out or ditching. The 
availability of suitable contingency landing 
sites is dependent on the inclination of the 
launch (intended flight path) and timing of 
the second engine failure. In general, if a 
second failure occurs while the Space Shuttle 
is already flying an RTLS maneuver, 
Bermuda, one of the preferred contingency 
landing sites, cannot be reached. 

Any abort increases risk over normal flight. 
Therefore, although each of the intact abort 
types has been “certified” by analysis, avoid- 
ing abort situations, especially the more unusu- 
al aborts which do not approximate a normal 
flight profile, is desirable. Hence, ATO is 
clearly the preferred mode since it is really a 
quasi-normal operation. The STS 51-F mis- 
sion executed an ATO when an engine was 
shut down prematurely late in flight due to a 
sensor failure. It continued uneventfully and 
achieved many of its objectives even though 
the intended orbit was not reached. 

RTLS raises several particular concerns 
because of the unusual flight profile which 
must be flown. After the Solid Rocket 
Boosters (SRBs) are separated, the Space 
Shuttle must continue flying to dissipate pro- 
pellants in the External Tank (ET). While dis- 
sipating propellants, a powered pitcharound 
must be performed so that the Orbiter is literal- 
ly flying backwards with the thrust of the 
remaining SSMEs being used for braking. 
This is followed by a powered pitchdown 
before main engine cutoff and ET separation. 


29 



The Space Shuttle then executes a pullout and 
enters the region of Terminal Area Energy 
Management. The RTLS concludes with heading 
alignment and a landing at the SLF. The unusual 
RTLS maneuver leads to several concerns such as 
overheating from flying into the SSME plume 
and extremely complex flight mechanics. 

Previous examinations have been made of 
what is required to eliminate or reduce expo- 
sure to RTLS by achieving TAL capability 
sooner in the ascent profile. In general, reduc- 
ing or eliminating RTLS exposure requires 
changes in entry trajectory (“stretched entry”) 
as well as an SSME abort throttle setting 
above the typical 104% level (at least 109%). 
For the present engine configuration, the use of 
109%, even in an abort situation, was consid- 
ered undesirable because of the inherent reduc- 
tions in operating margins at the higher thrust. 
The upcoming Block II engines, however, are 
designed to operate at a 109% power setting 
with margins comparable to (or better than) the 
current SSMEs at 104%. 

In light of the operating flexibility offered by 
the Block II engines, it would appear prudent 
to reexamine the entire issue of aborts in 
detail. Eliminating RTLS should be one objec- 
tive of this review. The resulting risk reduction 
and improvement in launch probability would 
represent significant benefits to the Space 
Shuttle and ISS programs. 


EXTERNAL TANK 

Ref: Finding #19 

The Super Lightweight Tank (SLWT) is being 
designed and built for the Space Shuttle to pro- 
vide a large proportion of the weight savings 
needed to accommodate the increased payload 
requirements of the ISS. The liquid oxygen 
tank aft dome gore panel thickness of the 
SLWT has been reduced significantly from its 
initial design on the basis of analytic results. 
To stiffen the dome, a rib was added. 


The current plan to verify the buckling strength 
of the aft dome involves a proof test only to limit 
load. This will permit the test hardware to be 
reused. The problem is that buckling phenomena 
cannot be extrapolated with confidence between 
limit and ultimate loads. Thus, the proof test will 
only demonstrate that the structure will withstand 
limit load without buckling. In order to provide a 
sufficient level of confidence, the SLWT aft 
dome should either be tested to ultimate loads or 
its strength should be increased to account for 
the uncertainties in extrapolation. 


SOLID ROCKET 
BOOSTER (SRB) 

Ref: Finding #20 

The addition of an external bracket to the aft skirt 
of the SRB has been proposed to restore the fac- 
tor of safety to 1.4. The effectiveness of this 
modification was to be tested using segments cut 
from an aft skirt and loaded so that the boundary 
conditions of stress and strain duplicated those 
encountered in a previous full scale test ot an aft 
skirt (the “STA-3” test). The first step was to 
duplicate the baseline conditions with an unmod- 
ified segment. This test did not successfully 
repeat the stresses and strains measured in the 
STA-3. This suggests that segment testing of the 
proposed bracket modification to improve the aft 
skirt’s factor of safety may not be valid. 


LOGISTICS AND SUPPORT 

Ref: Findings #21 through #23 

The principal logistics performance measure- 
ments such as cannibalization, shelf fill rates, 
zero/below minimum balance and repair turn- 
around time showed good to excellent results this 
year. Cannibalization has shown the expected 
response to the control being exercised, but is 
still not at zero and is therefore of concern. The 
reporting and control systems have reached a 
mature stage and appear to be very satisfactory 
for all Space Shuttle elements. 


30 


A major effort toward consolidation of logis- The overall benefits of a comprehensive con- 
tics activities at KSC has recently been solidation such as the reduction of unneces- 
announced which should optimize spares lev- sary duplication at KSC are apparent. The 
els. eliminate functional duplication and cen- decision to omit the Spacelab logistics 
trali/e control and administration. A group has from the new system appears wise as its 
been established to study and recommend final requirements and structure are unique and the 
organizational and functional realignments. program is nearing completion. 



31 





D. AERONAUTICS 


Ref: Finding #24 

NASA has entered into an agreement with the 
Russian Tupolev Design Bureau to support a 
set of research flights on a TU-144 supersonic 
airplane. The TU-144 has a questionable safety 
record, and the particular airplane to be flown 
has been “mothballed” for years. The level of 
assurance available for this flight project may 
not be equivalent to that typically associated 
with NASA’s flight research programs. 

The TU-144 program has the potential for 
assisting in validating design codes used in the 
High Speed Civil Transport (HSCT) efforts 
and can thereby reduce the probability of 
making costly mistakes. However, this 
depends upon a well conceived program that 
correlates the data derived from the flight pro- 
gram with predictions. The currently planned 
experiments include boundary layer measure- 
ments, handling quality assessments, propul- 
sion system thermal environment, sonic boom 
signatures, cabin noise and temperature pre- 
diction verifications. 

Before the flight program is to be conducted, 
the aircraft will undergo significant modifica- 
tions. In addition to being returned to flight 
status after a long period of storage, the plans 
include replacing the original engines with a 
different type adapted from the Blackjack 
bomber. This will require adapting new 
nacelles and a digital engine controller. In 
light of the changes and uncertainties 
involved in the TU-144 flights, NASA should 
assure that all design and safety data and 
operational characteristics of this vehicle 
have been fully explored. 

Ref: Finding #25 

Wind shear is created during an atmospheric 
phenomenon known as a “microburst.” This 
consists of a powerful downdraft that cascades 
earthward creating rapidly shifting winds. An 
airplane flying into such a condition can sud- 
denly encounter winds that can reduce air- 


speed to a hazardous level. Wind shear is a 
major safety concern even though it occurs 
infrequently. It has been a causal factor in at 
least 27 U.S. aircraft accidents between 1969 
and 1985 and has been cited as the cause of 
over 50 percent of accident fatalities in the 
1975 to 1985 period. Close calls continue to 
be reported; the risk still exists. 

A National Integrated Wind Shear Program 
Plan was initiated by NASA and the FAA to 
develop methods for detecting this atmospher- 
ic phenomenon and providing timely informa- 
tion to aircraft in imminent danger of encoun- 
tering this hazardous condition. The program 
consisted of three principal elements: ( 1 ) haz- 
ard characterization — wind shear physics, 
heavy rain aerodynamics, impact on flight 
behavior; (2) sensor technology — airborne 
doppler radar and other instrumentation; and 
(3) flight management systems — requirements, 
displays, pilot procedures. 

In operational use, the system displays in the 
cockpit a predictive wind shear hazard index. 
The FAA has already published system 
requirements and certified certain technologies 
for implementing the system. All national and 
international carriers will be required to have 
such a wind shear detection system in the near 
future — as early as December 1995. The U.S. 
Air Force already requires this capability on all 
its transport and tanker aircraft. 

The wind shear program is a good example of 
a productive cooperative research program. 
Although the work has already been trans- 
ferred into operations, there is more to be done 
on the subject of wind shear. For example, 
radar frequencies other than the X-band which 
is currently employed might profitably be 
investigated. Therefore, continued support of 
research relating to wind shear and other air- 
craft-threatening phenomena, such as wake 
vortices, and the transfer of related technolo- 
gies to industry appears warranted. 


32 



Ref: Finding #26 

NASA has had a long history of research sup- 
porting industry’s efforts in tire design and 
operation. Through the years, aircraft perfor- 
mance has continued to increase placing 
greater reliance on tire design for safe high 
speed operation, and for durability in service. 
Although significant progress has been made, 
much work remains. Supersonic aircraft, and 
in particular the future HSCT will require 
even higher performance from its tires. The 
Space Shuttle has tires that require replace- 
ment after each flight. Thus, there are contin- 
uing safety and economic reasons for addi- 
tional research aimed at developing improved 
tire materials and designs. 

NASA’s tire program operates from the 
Langley Research Center using the Aircraft 
Landing Dynamics Facility and from the 
Dryden Flight Research Center (DFRC) using 
the Convair 990 Landing Systems Research 
Aircraft. The combination of a flying 
testbed and a ground-based facility provide 
researchers with excellent flexibility to study 
important tire issues. 

Ref: Finding #27 

The Dryden Flight Research Center has com- 
pleted a demonstration of the concept of a 
Propulsion Controlled Aircraft (PCA) system 
using an F-I5 aircraft flight test and an MD-] 1 
simulator demonstration. The PCA system 
permits an aircraft to be guided to a landing in 
an emergency using only differential thrust for 
control. This might have prevented a crash 
such as the one experienced by the DC- 10 at 
Sioux City, Iowa. With the successful landings 
in the F-15 and demonstrations with airline 
pilots in the simulator, the PCA program has 
clearly progressed beyond the proof of concept 
stage and identified the potential safety bene- 
fits from a full-scale development and deploy- 
ment of this concept. Now that the concept 
has been proved and before it is tested in a 


commercial transport, it is appropriate to 
address the total system design of propulsion 
control. This should include a strong focus on 
defining and designing the optimum pilot con- 
trol interface for the system. A basic concern 
is that an assumption appears to have been 
made that the standard Mode Control Panel is 
the appropriate interface. This may not be cor- 
rect. For example, if a pilot must make any 
manual throttle inputs, using the Mode Control 
Panel at the same time could be awkward. For 
this and other reasons, other control approach- 
es, particularly the use of the standard controls 
(yoke or sidestick) should be carefully consid- 
ered. This would result in a control approach 
similar to the Control Wheel Steering (CWS) 
mode available on many current aircraft. 

Ref: Finding #28 

The Perseus Program involves Unmanned 
Aerial Vehicles (UAVs) for environmental 
research. Last year, the Panel recommended 
development of a range safety policy at DFRC 
to be applied to UAVs. Dryden did indeed 
develop such a policy in coordination with the 
Edwards Air Force Base (EAFB) test range. 
This policy had to be applied to a Perseus flight 
on November 21 when the vehicle diverged at 
35,000 feet. The vehicle was lost, but range 
safety was not compromised. The vehicle 
crashed in the prescribed range safety area. 

Dryden is responsible for operating Perseus 
flights. An investigation team has been 
appointed by the Center Director to review 
this incident. Since the intended use of these 
vehicles is to provide a research platform for 
studies in atmospheric science, the Perseus 
will ultimately have to fly outside of the 
EAFB protected area. In fact, UAVs such as 
Perseus may operate in both national and 
international airspace. Dryden cannot take 
responsibility alone for these flights. Other 
U.S. and international governmental authori- 
ties must be involved. 


33 



E. OTHER 


Ref: Finding #29 

The Simplified Aid for EVA Rescue (SAFER) 
is a small maneuvering unit intended to fit at 
the bottom of the Portable Life Support 
System (PLSS) of an EVA astronaut. Its 
design purpose is to permit an astronaut who 
becomes untethered from the Space Station or 
a Space Shuttle to return safely. This potential 
problem is not considered great tor a free fly- 
ing Shuttle since it can maneuver immediately 
to retrieve an astronaut who is drifting away. 

It can be serious, however, if the Space Shuttle 
is attached to the Space Station or another 
satellite and is not free to maneuver quickly. 

In addition to astronaut rescue, there are also 
contingency situations which cannot be 
resolved at present because an EVA astronaut 
is unable to maneuver to the source of the 
problem. For example, if there were an indica- 
tion that an ET umbilical door on the Orbiter 
had failed to close, the crew would have no 
way to perform a visual inspection to confirm 
the validity of the warning. 

Since SAFER was designed primarily for 
rescue, it does not include the degree of redun- 
dancy typical of human-rated flight systems. 
It was reasoned that a single string system 
would be adequate for rescue objectives. 
However, this lack of redundancy appears to 
have deterred NASA from expanding the use 
of SAFER to the contingency situations in 
which it can be a significant benefit. 

Five flight units have been ordered. Three of 
these will be deployed on the Mir and Space 
Station. The two remaining units are to be 
flown on the Space Shuttle only when an EVA 
is planned. This deployment strategy does not 
make full use of the safety benefits of flying 
SAFER. Given that a problem has occurred 
such as an indication of an unlatched ET door 
or the suspicion of tile damage, it would likely 
be an acceptable risk to employ a SAFER unit 


to inspect or correct the situation. In general, 
if there is the possibility of a corrective or con- 
firmatory action to increase flight safety, the 
small additional risk arising from the lack of 
redundancy in SAFER can be tolerated. 

Based on these considerations, it would appear 
reasonable to carry one or two SAFER units 
on all Space Shuttle missions once the flight 
units are available. These units are relatively 
light weight and have minimal logistics 
requirements. They stow in the airlock on the 
PLSS, so they do not require any Orbiter mod- 
ifications. The availability of the SAFERs will 
provide mission planners with a significant 
increase in flexibility to handle contingencies 
which might arise. The only exception to the 
general deployment of the SAFERs would 
arise on those missions which are severely 
weight limited and do not have any planned 
EVAs. NASA should examine the logistics 
and costs associated with a more widespread 
use of SAFER, and, if necessary, procure addi- 
tional flight units to support an expanded role 
for SAFER. 

Ref: Finding #30 

Over the past several years, NASA has 
received recommendations from the General 
Accounting Office, the ASAP and the National 
Research Council among others stating that the 
agency needed to give greater attention to 
potential software problems. Early in the year, 
NASA established a Software Process Action 
Team (SPAT) to review and develop plans for 
addressing the plethora of software concerns 
that have been raised. The problem with the 
initial implementation of the SPAT was that 
several of the NASA organizations involved in 
software development were peimitted to 
bypass participation. 

The SPAT has been addressing a broad range 
of important software and process issues, 
including: 


34 



• software development processes 

• software management processes 

• training of developers and managers in 
software technology 

• software acquisition processes 

• the mandating of processes 

• the role of a lead center in software 
management 

• roles, responsibilities and reporting 
structure of the Software Working Group 

• inclusion of people with a software back- 
ground in the Systems Engineering Process 
Activity 

• access to launch software of purchased 
launch vehicles in view of the Commercial 
Launch Act. 

It is important that the SPAT focus on the 
level of recommendation that can lead to use- 
ful work and not get mired in excess detail. It 
is better to focus at this stage on what needs 
to be done rather than a formula for doing it. 

The SPAT was charged with producing a 
comprehensive report after a small number of 
meetings. In retrospect, there may be too 
much in the task statement for the time 
allowed. NASA should ensure that computer 
software issues are given high priority 
throughout the agency and that those address- 
ing these issues are given the support needed 
to produce adequate ways of dealing with 
them. The creation of the SPAT was an 
important initial step toward dealing with 
complex safety critical problems, but mor.e 
needs to be done. In particular, all affected 
groups should be required to participate in 
these activities. 


Ref: Finding #31 

There were several in-flight and ground-based 
episodes in which astronauts developed adverse 
reactions to substances used in human experi- 
ments. Although within the anticipated out- 
comes of the experiments, these events raise a 
concern with regard to the particular needs of 
protecting human subjects in a space flight 
environment. An aspect of the problem appears 
to be that there is insufficient independent over- 
sight within NASA of the safety of human 
experiments. The researchers all submit their 
protocols to a standard Institutional Review 
Board (IRB) process. This is a good step, but it 
is a peer review and the IRB members may not 
necessarily be knowledgeable about the unique 
aspects of human experimentation aboard a 
spacecraft. Since NASA has the Office of 
Safety and Mission Assurance (OSMA) and it 
has responsibility for incident investigations, it 
would seem appropriate for OSMA to become 
involved in at least two areas related to human 
experimentation. First, OSMA could establish 
a review process to augment the standard IRB. 
Second, it could ensure that the Shuttle and 
Space Station systems requirements provide 
sufficient equipment, staffing and training to 
deal appropriately with any problems which 
might be experienced. Together with the stan- 
dard IRB, the OSMA review would add signifi- 
cant breadth to the oversight of the safety of 
human experiments. 

Ref: Finding #32 

The ASAP has maintained a continuing inter- 
est in the Aviation Safety Reporting System 
(ASRS) since ASRS was established in 1975. 

In that year, the FAA asked NASA to develop 
and operate the system, acting as a neutral 
third-party between aviation operating person- 
nel and the FAA. The ASRS was designed to 
receive voluntary reports of unsafe occurrences 
and hazardous situations, process, analyze, and 
interpret these reports, and disseminate find- 
ings and recommendations to the aviation 
community. The program is well managed. 


35 



extremely well-accepted by the aviation commu- 
nity, and the system has contributed to aviation 
safety by reporting insights and advisories that 
otherwise might be suppressed or lost through a 
highly-structured regulatory process. The value 
of the system has been confirmed repeatedly by 
operating and management personnel. 

A recent report on the ASRS by a study team 
from the National Academy of Public 
Administration (NAPA) provided a thorough 
and complimentary review of ASRS (A Review 
of the Aviation Safety Reporting System, NAPA- 
August 1994). Given the many benefits of 
ASRS identified by NAPA, NASA and the FAA 
should restore the full capability of analysis, 
interpretation, and dissemination of the ASRS 
and promote electronic dissemination and 
expanded educational outreach. 

Ref: Finding #33 

NASA’s predecessor organization, the NACA, 
in establishing its research agenda, benefitted 
from the advice of experts drawn from industry, 


the government and academia through an advi 
sory committee structure. One such committee, 
the Committee on Aircraft Operations, provided 
advice in problem areas relating to meteorology, 
fire prevention, noise and flight satety. A simi- 
lar panel was eliminated during a period when 
NASA was required to reduce the number of its 
advisory committees. This has created a void in 
the input NASA receives to define its aeronauti- 
cal and flight safety research programs which 
should be filled. It may be possible to obtain 
the needed advice through the restructuring of 
the existing committee structure. 

Ref: Finding #34 

In previous reports, the Panel has questioned 
the commitment of the entire NASA/contractor 
team to the practice and principles of Total 
Quality Management (TQM). Whatever mis- 
givings which may have once prevailed are 
now assuaged and the Panel is convinced that 
NASA and its contractors do, indeed, have 
TQM programs worthy of emulation by others 
both in and out of government. 


36 



IV. APPENDICES 





APPENDIX A 

NASA AEROSPACE SAFETY ADVISORY PANEL MEMBERSHIP 


CHAIRMAN 

MR. NORMAN R. PARMET 

Aerospace Consultant 

Former Vice President, Engineering 

Trans World Airlines 

DEPUTY CHAIRMAN 

MR. PAUL M. JOHNSTONE 

Consultant, Former Senior Vice 
President, Operations Services 
Eastern Airlines, Inc. 

MEMBERS 

MR. RICHARD D. BLOMBERG 

President 

Dunlap and Associates, Inc. 

MS. YVONNE C. BRILL 

Aerospace Consultant 

Former Space Segment Engineer 

INMARSAT 

VADM ROBERT F. DUNN, USN (RET) 

Aerospace Consultant/Author 
Former Deputy Chief of Naval 
Operations Air Warfare, Pentagon 

DR. GEORGE J. GLEGHORN 

Aerospace Consultant 

Former Vice President & Chief Engineer 

Space & Technology Group, TRW, Inc. 

DR. NORRIS J. KRONE 

President 

University Research Foundation 

MR. MELVIN STONE 

Aerospace Consultant 
Former Director of Structures 
McDonnell Douglas Corporation 

DR. RICHARD A. VOLZ 

Head, Department of 
Computer Sciences 
Texas A&M University 


CONSULTANTS 

MR. CHARLES J. DONLAN 

Aerospace Consultant 
Former Deputy Director 
NASA Langley Research Center 

MR. JOHN A. GORHAM 

Aerospace Engineering 
Gorham Associates 

DR. SEYMOUR C. HIMMEL 

Aerospace Consultant 
Former Associate Director 
NASA Lewis Research Center 

MR. JOHN F. MCDONALD 

Former Vice President 
Technical Services 
TigerAir, Inc. 

DR. JOHN G. STEWART 

Director 

Consortium of Research Institutions 

DR. WALTER C. WILLIAMS 

Aerospace Consultant 
Former NASA Chief Engineer 

EX-OFFICIO MEMBER 

MR. FREDERICK D. GREGORY 

Associate Administrator for 
Safety and Mission Assurance 
NASA Headquarters 

STAFF 

MR. FRANK L. MANNING 

Executive Director 
NASA Headquarters 

MS. PATRICIA M. HARMAN 

Staff Assistant 
NASA Headquarters 


A-l 



APPENDIX B 

NASA RESPONSE TO 
MARCH 1994 ANNUAL REPORT 


SUMMARY 

NASA responded on July 1, 1994 to the “Findings and Recommendations” from the March 
1994 Annual Report. NASA’s response to each report item was categorized by the Panel as 
“open, continuing, or closed.” Open items are those on which the Panel differs with the 
NASA response in one or more respects. They are typically addressed by a new finding and 
recommendation in this report. Continuing items involve concerns that are an inherent part of 
NASA operations or have not progressed sufficiently to permit a final determination by the 
Panel. These will remain a focus of the Panel’s activities during the next year. Items consid- 
ered answered adequately are deemed closed. 

Based on the Panel’s review of the NASA response and the information gathered during the 
1994 period, the Panel considers that the following is the status of the recommendations made 
in the 1994 Report. 


B-l 




RECOMMENDATION 

SUBJECT 

U.S. and Russian Space Program safety concerns 
Impact of space debris on long-duration missions 
Space Station structural dynamics in collision-avoidance 
maneuvering 

Space Station Crew Rescue 

KSC Continuous Improvement 

Impact on safety as a result of cost reductions at KSC 

KSC Space Shuttle processing problems due to human factors 

KSC Structured Surveillance Program 

Thermal damage to OV-103 elevon tiles 

Development of improved tiles 

Multipurpose Electronic Display System 

Improved Auxiliary Power Unit 

Autoland 

Space Shuttle Main Engines (SSME) 

High Pressure Fuel Turbopump (HPFTP) 

SSME Block II development 
Engine Sensors 

SSME health monitoring system 
Solid Rocket Motor Aft Skirt Stress 

Redesigned Solid Rocket Motor (RSRM) forward casing crack 
Use of Advanced Solid Rocket Motor design features in 
the RSRM 

Monitoring chamber pressure in RSRMs 
Super Light Weight External Tank 

Integrated Logistics Panel Support to entire logistics program 

Vision 2000 effects on logistics program 

Just-In-Time manufacturing and shelf stocking concept 

Main logistics system performance 

Dryden Flight Research Center (DFRC) range safety 

policy and system 

DFRC Flight Safety and Mission Assurance Organization 
X-31 aircraft stability 

Agencywide policy and process for software 
Space Human Factors Engineering Program 
Total Quality Management principles and practices 



STATUS 


CONTINUING 

CONTINUING 

CONTINUING 

CONTINUING 

CLOSED 

CONTINUING 

CLOSED 

CLOSED 

CLOSED 

CLOSED 

CONTINUING 

CLOSED 

OPEN 

CLOSED 

CLOSED 

CLOSED 

CONTINUING 

CONTINUING 

CONTINUING 

CLOSED 

CLOSED 

CLOSED 

CONTINUING 

CLOSED 

CLOSED 

CLOSED 

CLOSED 

CLOSED 

CLOSED 

CLOSED 

CONTINUING 

CONTINUING 

CLOSED 


B-2 


National Aeronautics and 
Space Administration 

Office of the Administrator 

Washington, DC 20546-0001 



JUL I !by-, 

Mr. Norman R. Parmet 
Chairman 

Aerospace Safety Advisory Panel 
5907 Sunrise Drive 
Fairway, KS 66205 


Dear Mr. Parmet: 

In accordance with your introductory letter to the March 
1994 Aerospace Safety Advisory Panel (ASAP)Annual 
enclosed is NASA's detailed response to Section II, Findings 

and Re commend at ions • 11 

The ASAP's commitment to assist NASA in maintaining the 
hiahest oossible safety standards is commendable. Your 
recommendationsplay an important ro> in risk reduction rn 
NASA programs and are greatly appreciated. 

We thank you and your Panel members for your valuable 
contributions. ASAP recommendations are highly regarded and 
receive the full attention of NASA senior management. We look 
forward to working with you. 


Sincerely, 

Daniel S. Goldin 
Administrator 


Enclosure 


1994 AEROSPACE SAFETY ADVISORY PANEL REPORT 
FINDINGS AND RECOMMENDATIONS 

A. SPACE STATION PROGRAM 


Finding $1; Joint U.S. and Russian space programs, including the Space Station, are 
now underway. Potential safety concerns arising from these collaborative efforts have 
not yet been completely defined or addressed. 

Re commendation Ul Safety requirements for the joint programs should be established 
from a thorough understanding of the underlying policies of design, test, and review in 
use by each country. Timely total systems analyses should be conducted to ensure 
adequate safety of components and interfaces as well as overall system safety. 

^7 cl R€S Z°™*: Safety concerns will be addressed by obtaining agreement from both 
ASA and the Russian Space Agency (RSA) on a common set of technical safety 
requirements and a review process. 

The technical safety requirements for the Russian Segment Specification are intended to 
be the same as those being imposed on the other international partners Of the 122 
identified safety requirements, 92 have agreement, 15 have pending agreement, and 15 
are still under negotiation. Presently, the Russians do not implement a safety review 
process similar to NASA’s. The NASA safety review process is based on hazards 
analyses at the subsystem, system, and integrated levels. The closest equivalent in the 
Russian process is a review of "off-nominal" situations. Negotiations are in process to 
evaluate the Russian off-nominal situation process for compatibility with hazards analyses 
and to ensure that appropriate steps are implemented to address hazards with Russian 
hardware The latest draft of the NASA/Russian memorandum of understanding 

provides for a NASA/Russian safety review process in Article 10, Safety and Mission 
Assurance. 

Ending #2; Much good work has been done to assess the impact of space debris on the 
long-duration mission of the Space Station, and significant accomplishments have been 
made in developing shielding to protect the Station. However, there is still insufficient 
information on the probability that penetrations will have a catastrophic effect. 

R e commendation #2: To support effective risk management, NASA should continue its 
emphasis on space debris problems, including a better characterization of the risk of 
catastrophic failures and an assessment of the capability to add shielding on orbit. 

NASA Response. The international Space Station program is continuing to place strong 
emphasis on understanding, characterizing, and mitigating the risks associated with 

ZZZTSir 1 ° rbital debris ‘ A Meteoroid/Debris Analysis and Integration Team 
( / AIT) consisting of NASA, contractor, and international partner technical experts 
is active and reports directly to the Vehicle Analysis and Integration Team. 


1 



The M/D AIT comprehensive strategy for managing M/D risks consists of a three-part 
approach; £o.ec,io£ avoidance, and risk abatement, 

shielding) are baselined to prevent penetrations of critical elements for particks t ^ 
sized less than 1 cm. Collision-avoidance procedures will be implemented to pro 
Station from the threat of larger, (typically greater than 10 cm) ground-tmckable 
Darticles The midrange size particles will be handled by a senes of ns -a 
approaches that will be established initially and evaluated <»ntmraUy ■ 
are being pursued to characterize the risks of impacts of midrange (1 to 10 cm) particles 
and to increase the effectiveness of the protection offered by shielding and collision 

avoidance. 

Risk abatement approaches with the goal of increasing protection system performance 
under consideration include: reduction of environmental model uncertainties, enhanced 
hypervelocity test and penetration analysis techniques, on-orbit shield augmentation 
capabilities, ^and alternate altitude strategies. Approaches thatmay ^c^ecoUision 
avoidance effectiveness include enhanced radar capabilities and flight operations 
technf^ies. 6 Finally, approaches being pursued to characterize and — e die residual 
risks include; definition and assessment of critical items and the probability o 
catastrophic failures, advanced analysis of critical crack and fracture mechanics, crew 
training and operations techniques, and repair and replacement procedure . 

Finding #3: Consideration is being given to maneuvering the Space Station to avoid 
larger debris that are capable of being tracked. Such maneuvers raise concerns a ou 
Station structural dynamics, disruption of the microgravity environment, and the ability of 
existing or planned systems to provide adequate debns tracking data. 

Recommendation Before adopting any maneuvering option, are must be tak ®" t0 
ensure that the dynamics of operation, including their effects on hardware, e.g., solar a 
radiator panels, and their influence on microgravity experiment operations are 
considered. Realistic evaluation must also be made of the ability of ground-based and 
on-orbit systems to support maneuvering options with adequate debris trac ong. 

HAS A Response: A collision-avoidance maneuver is, in practice, the same as a reboost 
maneuver. There are no concerns related exclusively to a reboost maneuver due to 
structural dynamic effects since all Space Station systems are being designed to handle a 
reboost; therefore, a known collision-avoidance maneuver will, likewise, present no 

structural problems. 

However, a short-notice collision-avoidance maneuver could require a maneuver without 
being in the preferred configuration (i.e., solar panels, remote manipulator ’system). The 
operational procedures to ensure structural integrity and afford the capability or 
collision-avoidance on short notice continue to be worked. 

The microgravity (micro-g) environment would be interrupted during an avoidance 
maneuver. However, the Space Station is not always required to be in a micr ° gravi ! y 
environment. The current microgravity requirement is for 180 days/year, subdivided 
no less than 30-day periods. Current analysis shows that the Space Station could actu y 


2 



exceed the requirement by two additional 30-day periods. Therefore, if a maneuver must 
occur, and a micro-g period is disrupted, the margin of two micro-g periods can be used 
for "recovery." 

Ground-based tracking of space debris is provided by the U.S. Space Command, not 

NASA. Their systems have the ability to track debris particles as small as appro xima tely 
10 cm. J 

Boding. Ml Present plans for rescue of Space Station personnel are not fully defined 
and may prove unsatisfactory without more precise and detailed planning, including 
necessary training and restrictions on the Station population. 


Recommendation $4: NASA should reexamine current plans to ensure that they meet 
the required safety criteria. If they do not, priority should be given to the protocols 
necessary to ensure rescue of the entire Station crew if the Station must be evacuated. 

NASA Response: The Space Station program is planning for the rescue of the entire 
crew in case of medical emergencies, Space Station evacuation, or interruption in Shuttle 
operations. Currently, the Space Station program plans to use Russian Soyuz spacecraft 
to perform this function during the assembly phase. This spacecraft has been proven 
over many years in supporting the Mir station. American astronauts will be fully trained 
in the use of Soyuz, and restrictions on its use by our astronauts are fully understood. 
Replacement of the Soyuz after the year 2002 is being considered by either a modified 
Soyuz or an American-built Crew Transfer Vehicle. 


3 



B. SPACE SHUTTLE PROGRAM 


LAUNCH AND LANDING 

Finding #5: The organization and management of Space Shuttle launch operations at 
Kennedy Space Center (KSC) continue to benefit from a "continuous improvement 
process" managed by the Shuttle Processing Contractor (SPC). Greater employee 
involvement, better communications, strengthened employee training and the use of task 
teams, process improvement teams, and a management steering committee have been 
major factors in this improvement. 

Recommendation *5: A strong commitment to achieving "continuous improvement," 
despite budget cutbacks, should be maintained, at the same time recognizing t e 
paramount priority of safety. 

NASA Response: The SPC continues its deep commitment to Continuous Improvement 
TCI) with over 550 active process improvement teams and 86 percent ot their b,buu- 
person workforce trained in the principles and precepts of CL The underlying theme o 
all SPC initiatives is their pledge for the highest level of performance at the lowest 
possible cost with absolute dedication to safety and quality. 

Finding # 6 ; More than 1,200 positions have been eliminated by the SPC since 
September 1991 with only about 22 percent being achieved through involuntary 
separations. Present reductions have been achieved without an apparent adverse e ec 
on the safety of launch processing. A comparable further reduction has been raUed fo 
by the end of FY 1995. These additional reductions cannot likely be made without a 
higher probability of impacting safety. 

Recommendation #6: KSC and SPC management must be vigilant and vocal inavoidmg 
any unacceptable impacts on safety as a result of cost reductions planned for FY 

and beyond. 

VASA Rewonse: KSC and SPC management are firmly committed to the precept that 
s jfty^lS e compromised as a result of cost reductions. Procedures for processing 
a safe space vehicle have been established and are strictly followed. These procedures 
are revised only after a thorough review by techmcal and safety personnel to ensure t 
safety will not be compromised. Schedule times are flexible; safety requirements are n . 
As the cost reductions continue, KSC is committed to processing only the number ot 
vehicles that can be completed safely within available resources. 

Findinr HI- Several Space Shuttle processing problems at KSC have been attributed to 
S^£ors issues. KSC has recently formed a human factors task force to address 

these problems. 


4 



Recommendation #7: KSC should ensure that the human factors task force includes 
individuals with training and experience in the field. Specific assistance should be sought 
from appropriate research centers and technology groups within NASA, 

NASA Response! The Management Steering Committee, chaired by the KSC Launch 
Director, established a Cl team to support the Incident Error Review Board (IERB) in 
assessing human-error factors. This team reviewed the human-factors aspects of the 
Freon Coolant Loop Number 1 Pump Package incident on OV-105/STS-61 and made 
nine specific recommendations concerning the incident. A tenth recommendation 
addressed the need for the team to obtain training in human factors principles. 

The Cl Human Factors Team has since received training on human factors from the 
Battelle Memorial Institute in a seminar conducted at KSC. Some team members 
attended a class on incident investigation taught by The Central Florida Chapter of the 
National Safety Council. The team has subsequently added a new member with 
extensive experience in human factors from Analex Space Systems, Inc. The team will 
continue to pursue additional human factors training. 

Finding $8: KSC has developed a Structured Surveillance Program with the objectives of 
decreasing overall process flow time, increasing "first-time quality," and reducing cost. 

The program approach involves reducing the reliance on inspections for assuring quality. 
Structured Surveillance also is proving valuable as a tool for the effective deployment of 
quality assurance resources. 

Recommendation #8: The Structured Surveillance program should be continued and 
cautiously expanded. 

NASA Response: KSC has improved structured surveillance data elements, data 
collection methods, and metrics for the entire program at KSC (both Government and 
contractor) and has discussed these improvements with the Panel. To ensure effective 
implementation of the Government application of the structured surveillance program, 
the leadership of this effort has been moved up to the directors of the two implementing 
organizations. These directors co-chair a newly formed control board that manages the 
generation and modification of the policies, procedures, and training necessary for full 
implementation of structured surveillance 

ORBITER 

Ending. ft9; Thermal damage was noted on the STS-56 (OV-103) elevon tiles. The 
slumping of the tiles indicated that the tile surface reached a temperature of 
approximately 1,000° F. A temperature of this magnitude suggests that the temper and 
strength of the underlying aluminum structure could have been affected. 

Recommendation $9: NASA should initiate an analysis to determine the temperature 
profile of the underlying aluminum structure of the elevons and its possible consequences 
on the strength of the Orbiter structure. 


5 



NASA Rernonse- On STS-56 (OV-103), an alternate forward elevon schedule (part of 
Ccmer oKlrtn d t y Expansion Activities’ Detailed Test Objective (DTO) 251) was flown. 
This was the maximum-up schedule (12 degrees up) ever flown. There was some ule 
slumping (caused by temperatures exceeding 1500 degrees F) at the center hinge 
location, but detailed postflight vehicle inspection confirmed that the aluminum structure 
was neither damaged nor subjected to unacceptable temperatures. Positive Margms-of- 
Safetv have been verified subsequently through thermal design analysis. A redesign has 
been certified and is currently being installed on all four vehicles. This new design wi 
allow a full-up (16 degrees) elevon without overheating of the underlying structure. 

Prior to incorporation of this modification, the elevon schedule had been constrained to 

7 degrees up. 

Finding #10: The Shuttle tiles have provided effective heat protection. However, the 
surface of the tiles is easily damaged and their shrinkage and distortion properties are 
not as low as desired. A new tile formulation with superior characteristics and possibly 

lower density is being explored. 

Recmmendatjon UQl NASA is encouraged to support the development of thermal 
protection tiles with improved mechanical properties and lower density than the current 

Shuttle tiles. 

NASA Response: NASA is considering several improvements to the Tile Protective 
Svstem (TPS). On STS-51 (OV-105), a tougher tile coating on Fiber Reinforced 
Composite Insulation (FRCI-12) tiles was flown as a DTO on a few door n es on the 
base heatshield. There were no hits on these tiles. However, the DTO wdl be flown a 
number of times to obtain a good evaluation of the improvement expected from this 
coating. This tougher coating will enhance turnaround activities by minimizing tile 
replacement due to coating damage. 

Finding #11: NASA has made excellent progress on the engineering of the Multipurpose 
Electronic Display System (MEDS) for retrofitting Orbiter displays. However, there is 
no formal program to identify and include the safety advantages possible from a hilly 

exploited MEDS. 

Rpmmmendntion #11: A thorough review of the performance and safety improvements 
possibll froma completely developed MEDS should be conducted based on crew inputs 
?o system designers and researchers. A definitive plan should be developed to determine 
the schedule/cost implications of such improvements, and, if warranted, implementation 
should be scheduled as soon as possible. 

NASA Resnonse: The MEDS, when operational, will provide a foundation for potential 
upgrades and enhancements to the current crew displays that will improve safety. The 
initial MEDS program must be on line in a timely manner to replace aging electro- 
mechanical devices. The flight crew, mission operations, engineering, training, and 
safety reliability, and quality assurance program personnel have all agreed that t e 
"transparency" achieved by designing enhanced displays similar in function and 
appearanceTo the current displays is the optimum solution initially. By destgnmg stnular 


6 


but enhanced displays, the impacts for a mixed fleet while MEDS is being installed are 
minimized in the areas of training and flight software. There is only one single-motion 
base simulator, therefore, crews training for MEDS or non-MEDS equipped vehicles will 
be able to train on displays that are similar to those they will use in flight. Similar 
display formats do not require any changes to the existing flight software. Once trainers 
and laboratories are equipped with MEDS, the test beds will be in place to evaluate 
display upgrades. 


The next phase of the total orbiter displays-and-controls update activities will be to 
achieve a world-class state-of-the-art system by expanding the total complement to digital 
electronics replacing current wiring and switches as practical. Planning for this phase is 
beginning, but the exact implementation schedule will be dependent on funding 
availability as well as future human-tended spacecraft p lanning 

Finding ft 12; The Improved Auxiliary Power Unit (IAPU) has experienced problems 
that have impacted Space Shuttle processing and logistics. 

Recommendation ft 12; A new focus on increasing the reliability of the total IAPU system 
should be initiated and supported until the identified problems are solved. 

NASA Response: To improve Auxiliary Power Unit (APU) reliability, a continuous 
improvement program has been underway since the STS 5 1-L accident. Results from 
this program include the completion of an IAPU "upgrade" project (which eliminated 
injector tube corrosion, exhaust housing cracking, and some Criticality 1 concerns), a new 
design for the turbine wheel, an improved APU controller and fuel isolation valve, and 
the more reliable "Path a" Gas Generator Valve Module (GGVM). These changes have 
resulted in a greatly reduced rate of APU in-flight anomalies and fewer delays to the 
Shuttle processing and logistics support activities. Elements of the continuous 
improvement program not yet complete, but now underway include development of an 
entirely new GGVM, certification of a new material for the fuel pump thermal isolator, 
and development of more vibration-resistant thermostats. As the new GGVM is 
incorporated in the fleet, the APU should be totally certified for its planned 75-hour life 
capability. 

Ending. #13; In its response to the Panel’s last Annual Report, NASA indicated that 
The program is reviewing the operational flight rules pertaining to Autoland, we have 
budgeted upgrades in software and hardware to improve the Autoland functionality, the 
life sciences organization is collecting physiological data and developing countermeasures 
to ensure adequate crew performance as the mission duration increases. We are 
confident with using Autoland in a contingency mode, but do not plan to demonstrate 
Autoland until a firm requirement mandates a demonstration." 

Recommendation jfl$; The focus of Autoland should not be exclusively on long-duration 
missions. NASA should formulate a complete set of operational procedures needed for 
emergency use of Autoland, taking into account a full range of operational scenarios and 
equipment modifications that might be beneficial. These include upgrades to the 


7 



Microwave Sca nnin g Beam Landing System (MSBLS) receiver group, and installation 
and certification of Global Positioning System (GPS) capability. 


NASA Response: It is agreed that the Autoland system should not be focused just on 
long-duration missions. Currently, mission planning requirements do not include 
missions longer than approximately 18 days, including the Space Station program The 
entry systems requirements including piloting techniques are continuously assessed for 
improvements. Autoland backup capabilities as well as heading alignment cone piloting 
enhancements are being developed and will be incorporated as we continue to 
implement the flight program. MSBLS/GPS type systems are being considered and will 
be brought on line as improvements are practical. 


No specific training or procedures are required for the emergency use of Autoland, as 
the only manual tasks required of the crew in an Autoland scenario (e.g., deploying 
landing gear, postlanding braking, air data probe deployment, and navigation sensor data 
incorporation) are identical to those performed in a manual landing. Present flight rules 
define orbiter and landing-site equipment that must be functioning to perform an 
Autoland landing. The decision to engage Autoland in a contingency is left to the 
commander’s discretion to protect the safety of the crew. Exact flight rules to define all 
Autoland engagement criteria exceed the number of failure cases addressed by the 
current flight rules. A program to expand these criteria would require large resource 
commitments to develop and is not currently in the planning. 


SFACE SHUTTLE MAIN ENGINES ;{SSME) 

Ending #14: The SSME has performed well in flight but has been the cause of launch 
delays and on-pad launch aborts that were primarily attributable to manufacturing 

control problems. 

R pmmmendatinn #14j Continue to implement the corrective actions developed by the 
NASA and Rocketdyne manufacturing process review teams and devise techniques tor 
detecting and/or precluding recurrence of the types of problems identified. 

NASA Response: The process audit teams and the NASA and Rocketdyne incident 
investigation teams have both identified process improvements which either have been or 
will be incorporated into all areas of the engine program. These process improvements 
will improve detection and preclude the recurrence of manufacturing control problems in 
any of our new or recycled hardware and substantially reduce the likelihood of 
associated problems leading to launch delays or launch pad aborts. 


Ending. fl/5: "Sheetmetal" cracks in the Phase II (current) High Pressure Fuel 
Turbopump (HPFTP) have become more frequent and are larger than previously 
experienced. This has led to the imposition of a 4,250-second operating time limit and a 
reduction of allowable crack size by a factor of four. Congress has delayed the funding 
for restarting the development of the alternate HPFTP. This new turbopump design 
should eliminate the cracking problem. 


8 



B e commendation #1$: Restart the development and certification of the alternate HPFTP 
immediately. 


NA SA R espQrise; NASA fully agrees with the recommendation to restart the alternate 
HPFTP immediately. Congressional authority to restart the program was received on 
April 14, 1994. The Space Shuttle program (SSP) is proceeding with the restart. The 
alternate HPFTP will be incorporated into the Block II SSME configuration with first 
flight scheduled for September 1997. 

Finding #10; The approved parts of the engine component improvement progr am*: now 
organized into block changes, are progressing well. The Block I grouping will enter 
formal certification testing by mid- 1994. Progress in the Block II effort is, however, 
hampered by the delay in restarting the alternate HPFTP development effort. 

Re commendation #16: Continue efforts to complete all of the Block II development as 
soon as possible. 

NASA Response: NASA fully agrees with this recommendation and is firmly committed 
to developing and implementing all of the SSME safety improvements, including the 
Alternate HPFTP and the Large Throat Main Combustion Chamber. Upon completion 
of these modifications, a significant reduction in Shuttle operational risk will be re alize d 
Initiation of full-scale development testing is currently planned for mid- 1995, with first- 
flight capability scheduled for September 1997. 

Emdinz #17; Engine sensor failures have become more frequent and are a source of 

increased risk of launch delays, on-pad aborts, or potential unwarranted engine shutdown 
in flight 

Recommendation #17: Undertake a program to secure or develop and certify improved, 
more reliable engine condition sensors. 

NASA Response: Improved hot gas temperature-sensing instrumentation is undergoing 
development testing and is planned for the first flight in FY 1995. A two-step 
improvement process for pressure and flow measuring instrumentation is also under way. 
As a first step, a new screening selection process has been developed for immediate 
implementation to improve sensor quality control. The second step, redesigning and 
improving sensors, is being implemented as these improvements become available. 

Ending, $l&i The SSME health monitoring system comprising the engine controller and 
its algorithms, software, and sensors is old technology. The controller's limited 
computational capacity precludes incorporation of more state-of-the-art algorithms and 
decision rules. As a result, the probabilities of either shutting down a healthy engine or 
failing to detect an engine anomaly are higher than necessary. 

Recommendation ((18: The SSME program should undertake a comprehensive effort to 
improve the capability and reliability of the SSME health monitoring system. Such a 


9 



program should include not only improved sensors but also a more capable controller 
and advanced algorithms. 


a {ASA Remmsei NASA agrees that the development and implementation o 
advanced health monitoring system for the SSME is potentially worth pursuing, 
system currently being considered would incorporate more processmg capability in an 
upgraded controller and allow the utilization of advanced health monitoring software 
algorithms. With an improved system of this nature, the probability of shutting down a 
healthy engine would be reduced while the probability of preventing a catastrophic 
failure would be increased. NASA is reviewing proposals that would certify and 
implement this new capability into the Block II SSME configuration. 


SOUDROOCET MOTORS 

Finding mi A segment of an aft skirt will be used to test the effectiveness of an 
external bracket modification in reducing the overall bending stress of the s * e 
validity of using an 11-inch-wide test specimen to determine the effectiveness ot t e 
bracket is yet to be demonstrated. 


ReammenMiQR H2l NASA should evaluate the first specimen test results to see if the 
strains in the weld area duplicate the strains found when a full aft skirt was tested in e 
Static Test Article-3 (STA-3) test. If not, another test approach should be pursued. 


NASA Resoonse: Tests on three of the four aft skirt test specimens have been 
completed. The baseline test article (TA-1), which represents the current aft skirt ^ 
configuration, has been subjected to 100 percent of the developed load case Basec l on 
thorough evaluation of the TA-1 test data and correlation of the data with STA-3 test 
results, it is clear that the weld area strain field developed in the TA-1 test article 
correlates well with the strain field in this same area on the STA-3 aft skirt, this 
correlation confirms the validity of the test approach being used. 

The second test article (TA-4) was also in the baseline configuration and was subjected 
to a maximum load of 70 percent of the developed load case. This article utilized the 
photoelastic method for determining the strain field as opposed to using the typical 1 stra 
gage method used on all other articles in this test program. This test verified tha t the 
STA-3 strain field could be duplicated on two separate articles within acceptable limits 
and that no high strain areas were overlooked during the analytical study of the test 

article response. 

The third test article (TA-2), which has an external bracket for the reduction of strain in 
critical weld region, was subjected to 205 percent of the developed load case with no 
structural anomalies occurring. Comparisons of the baseline configuration article ( I A-l) 
and the bracketed configuration article (TA-2) were made at 100 percent loads. This 
comparison demonstrated that there was approximately a 50 percent reduction in 
average weld strain in the critical weld region. 


10 



The baseline configuration article (TA-1) was tested to failure during June 1994. This 
test defined the weld failure strain for the TA-1 article. Test data obtained from this 
test is being compared to the results of the 205 percent TA-2 test and the STA-3 test to 
develop a comparative assessment of the benefit gained by the addition of the external 
bracket modification. If this assessment does not reveal adequate stress reduction, 
additional testing may be indicated. 

SadiB£. 82Qi A small crack was found in the inner wall of a forward Redesigned Solid 
Rocket Motor (RSRM) casing used for STS-54. Although slightly above the specified 
minimum detectable size, it was well within the acceptable limits for safe flight. This 
was the first time that a crack had been found in a forward segment, although cracks 
have previously been detected in other segments. The crack occurred during the 
manufacturing heat treatment process because of an inclusion in the parent material. 

Recommendation #20; The X-ray and magnetic particle inspection program criteria 
should be re-evaluated to assess their ability to detect cracks of the size found. 

NASA Response ; A single crack was detected during standard refurbishment of the 
forward segment flown on STS-54. The subsequent investigation determined that an 
inclusion introduced into the metal during the manufacturing process caused the crack to 
form during heat treatment of the cylinder. The segment had been flown four times 
prior to detection of the crack. Prior to each of these flights, the cylinder was proof 
tested, which demonstrated safe life (4 mission cycles) in the membrane region where 
this crack was found. 

All areas of the RSRM metal hardware (case, nozzle, igniter) have been reevaluated 
with respect to critical flaw size and whether proof test, magnetic particle inspection or 
other nondestructive evaluation methods are required to demonstrate compliance to safe 
life requirements. As a part of this reevaluation, an RSRM hardware configuration 
specific magnetic panicle inspection probability of detection (POD) study was completed. 
Prior to this study, crack detection threshold limits were based on industry standards. 

This RSRM magnetic panicle inspection POD study incorporated RSRM specific 
geometries, physical access, gauss levels, surface finishes, potential flaw types, inspection 
times, and multiple operators. The results demonstrated that, in the areas of the RSRM 
hardware upon which magnetic panicle inspection is solely relies, the detectable flaw size 
is smaller than the critical flaw size. Proof test is the method of choice used to 
demonstrate safe life in the case membrane region, not magnetic particle inspection. 

X-ray inspection is not used for crack detection in RSRM metal hardware. Magnetic 
panicle inspection capability has been reevaluated and, as a result of an RSRM 
hardware configuration specific POD study, detection capability versus location is well 
characterized. In those areas that rely solely on magnetic particle inspection, the 
detectable flaw size is smaller than the critical flaw size. 

Finding. #21; The Advanced Solid Rocket Motor (ASRM) project has been canceled. 
Some elements from the ASRM development have possible reliability and/or 
performance benefits if they were applied to the RSRM. 


11 



Rpmmmendatinn #21: Examine the potential applicability and cost-effectiveness of 
including selected ASRM design features in the RSRM. 


NASA Re sponse: The RSRM project has continued to consider ASRM design attributes, 
as motivated by RSRM flight results, performance goals, obsolescence issues, and cost 
enhancements. Examples of these are the RSRM project’s ongoing initiative to replace 
metal* parts vapor decease cleaning with an aqueous process and the ongoing initiative 
to remove asbestos from the primary RSRM insulation matenal Both of these 
obsolescence replacement activities have drawn from previous ASRM activity. 


There are numerous ASRM design attributes for potential consideration for future 
adoption in the RSRM. These include, in part, propellant formulation (hydroxyl- 
terminated polybutadiene), sealing system designs, pressure vessel design and materials, 
some attributes of the nozzle design, and some manufactunng process automation, such 
as insulation strip winding and Real Time Radiography (RTR) for nozzle and case 
inspections. At present, the RSRM project is considering incorporation of the previous 
ASRM RTR system into the RSRM hardware verification process and the use of ASRM 
manufacturing equipment for nozzle fabrication. Based on collective consideration o 
the implementation cost impacts and RSRM flight demonstrated hardware performance, 
no requirements have been established to pursue the ASRM sealing system, pressure 
vessel or nozzle design attributes. However, future justifications in these areas are 
possible based on continuing RSRM flight evaluation or increased Shuttle program 
performance requirements. 

Finding. #22: A chamber pressure excursion of 13 psi (equivalent toa thrust 
perturbation of 54,000 pounds) occurred in one of the RSRMs of STS-54 at 67 seconds 
of motor operation. A thorough investigation of the phenomenon was initiated and 
found that the most probable cause was the expulsion of a "slug’ of liquid slag 
(aluminum oxide) generated during normal propellant combustion. Analyses showed 
that, even under statistical worst-case conditions, the safety of the Shuttle system is no 
compromised by such perturbations. Some testing and analyses are still scheduled o 

complete the investigation. 

R pmmmendation #22: Complete and document the investigation, and contunue -toe 
established practice of monitoring chamber pressures and examining possible remedial 

actions. 

NASA Response: The RSRM project has concluded its investigation and has determined 
that the generic cause of chamber pressure excursions is the periodic expulsion of liquid 
slag (aluminum oxide). Slag is produced during normal propellant combustion and is 
temporarily accumulated in the aft end of the nozzle pnor to being dumped through 
the nozzle. The RSRM project has implemented the recommendations set forth by t 
Panel and has established a program to continue to evaluate multiple parameters that 
could affect the pressure perturbations. The results and findings of these studies a 
being reviewed and changes to the processes or specification will be made if it is 
concluded that they will be beneficial to the program. 


12 



A very detailed study of many process and material parameters that influence slag 
formation has been conducted to determine if a statistical correlation exists between 
these parameters and the pressure perturbations. Examples of these parameters include 
humidity, time in process, ammonium perchlorate (AP) moisture content, mix times, cast 
times, viscosity, mechanical properties, and many others. No special causes or process 
deviations related to pressure perturbations have been identified. Analyses have shown 
that, under the worst case conditions, the safety of the Shuttle system is not compromised 
by the pressure phenomenon. The results of this extensive study are currently being 
documented by Thiokol. 

Chamber pressures are being analyzed or monitored by Statistical Process Control charts. 
Eighteen acceptance tests are conducted for each lot of AP. The flight and static test 
pressure perturbation history is reviewed before every launch. Additionally, several 
other studies are being conducted to improve the predictability of pressure excursions. 
Quench bomb tests recorded with high-speed film have been used to identify burn-rate 
differences in the various propellant mixes. Five-inch diameter spin motor tests are 
being conducted to evaluate the amount of slag that is generated in a motor. This 
testing employs a design of experiments to evaluate the effects of ground AP, unground 
AP, differences in AP vendors, aluminum-particle sizes and vendor differences, particle- 
size distributions, iron oxide surface area, and several other parameters. 



Finding. #23: A Super Light Weight External Tank (SLWT) has been proposed as a 
means of increasing the payload performance of the Space Shuttle. The tank would 
employ structural changes and be made from an Aluminum-Lithium (Al-Ii) alloy. The 
SLWT appears to involve no safety decrement and low technical risk. 

Recommendation #23: The impact of the SLWT on the total system should be care- fully 
examined. 

NASA Response: The External Tank Project and Shuttle program are thoroughly 
committed to an integrated system approach to the design and development of the 
SLWT. A systems integration plan to ensure the timely assessment of SLWT effects on 
the Shuttle system, and to ensure programwide-managed implementation is currently in 
development. 

naiMMM 

Finding #24: The Integrated Logistics Panel (ILP), which meets at 6-month intervals to 
report and coordinate the activities of the NASA Centers and their contractors, is 
performing a vital service in helping to control the entire Space Shuttle logistics program. 

Recommendation #24: The ILP should continue to be supported as an effective means of 
maintaining control and coordination of the entire logistics program. 


13 



NASA Responses NASA Centers and contractors continue to support the ILP and 
related integration activities. All project elements benefit from the exchange of technical 
data presented at ILP meetings. NSTS 07700, Volume XII, "Integrated Logistics 
Requirements", the program’s requirements for integrated logistics was recently updated, 
and the ILP provided a focus for this effort. The ILP will continue to serve as the forum 
for problem solving, technical information exchange, and the appropriate level of control, 
coordination, and integration of Shuttle logistics support. 

Findine #25: The Vision 2000 cost-reduction program promulgated in May 1993 includes 
some major changes in the logistics and support areas. 

Recommendminn U2S: All changes that might impair logistics and support functions in 
the name of cost-cutting should be most carefully reviewed before implementation. 

NASA Response: As the program continues to plan for the future, the Vision 2000 
approach to the program will remain relevant. The Vision 2000 approach is based on the 
following two principles: operate within SSP experience and locate decisionmaking near 
operations. Notwithstanding the advantages these principles offer to the current Shuttle 
logistics community, the SSP office will remain vigilant and exercise caution when 
making cost-cutting decisions and changes necessitated by funding reductions. 

Finding. #26: Introduction of the Just-In-Time (JIT) manufacturing and shelf-stocking 
concept by NASA logistics at KSC is a potentially effective method of cost control. 

Recommendntinn $26i JIT should be used with caution and with a thorough 
understanding of how it may impact the availability of Space Shuttle spares and 
hardware supplies. 

NASA Response: All projects have cautiously considered the JIT method of spares 
provisioning and are in different stages of planning and implementation. Launch and 
Landing Project (L&L) has applied the JIT method to manufacturing activity. In 
addition, L&L is further studying alternative methods of prioritizing repair work which 
may be applied to JIT repairs at a later date. Operational availability will be uppermost 
in any JIT implementation decision strategy affecting spares and hardware supplies. 

Finding 822i A review of the main logistics system performance parameters indicates 
that the program is generally performing effectively. There are minor problems with 
zero balances, and repair turnaround times appear to be worsening. Cannibalization, 
with the exception of the IAPU, is at a minimum. Because of manufacturing and 
assembly quality problems, the number of spare engines is at a minimum and could 
become a logistics problem. 

Recommendation #27: Additional emphasis should be focused on repair turnaround time 
improvement and the reduction of cannibalization of SSME and IAPU components. 
NASA should continue the efforts to improve SSME manufacturing control and quality 
processes to preclude future engine availability problems. 


14 



NASA ESSBSBSSx. Supportability indicators for improved performance are continually 
monitored. Increased coordination with vendors, transition of selected tasks from 
vendors, and resolution of technical issues related to higher-than-normal hardware failure 
rates have assisted in expediting hardware delivery. The average repair turnaround time 
for L&L is 25 percent lower than FY 1988, but supportability is the key measurement of 
logistics success. Items that are not needed to ensure support (on either a vehicle or the 
shelf) are no longer being repaired on a priority basis to save dollars. Minor problems 
associated with zero balances should improve through the identification of single-source 
vendors and continued efforts to identify alternate sources. 

IAPU’s continue to be worked on a priority basis. Most of the technical problems 
associated with cannibalization in 1993 have been solved. There was no cannib aliza tion 
during the period January through April 1994, as there are spare units at KSC. In 
addition, ongoing discussions with vendors are attempting to improve production issues, 

and a redesign is underway as a long-term solution. Monitoring of this critical asset will 
continue. 


The SSME Project Office encountered a short-term issue with contamination of 
temperature transducer probes. Plans for resolution of this issue include process changes 
and testing (green run) prior to delivery to L&L. Pump and nozzle shortages are the 
result of natural disaster (Northridge earthquake), other technical issues, and the SSME 
project standdown period. Full implementation of changes in methods of support to 
manufacturing control and quality processes should improve availability of SSME 
hardware. We will intensively manage the correction of these issues to ensure 
availability of complex SSME hardware. 


15 



C. AERONAUTICS 


Finding. #28: The Dryden Flight Research Facility (DFRF) does not presently have a 
range safety policy and system for Unmanned Aerial Vehicles (UAVs) such as the 
Perseus, which is about to enter extensive testing. A working group under the DFRF 
Chief Engineer is examining the issue. 

Resemmendatm # 2ft ' DFRF should develop a range safety policy and system that are 
adequate to cover its contemplated UAV projects. 

NASA Remmssi The Director of the Dryden Flight Research Center (DFRC), nee 
Dryden Flight Research Facility (DFRF), has recently established a policy document on 
UAV flight operations and activities. This policy has been coordinated closely with 
Edwards Air Force Flight Test Center (AFFTC) officials, since air space and facilities 
are managed by the local Air Force establishment. 

The Perseus UAV, having just completed its initial contracted flight test activity, during 
which it achieved an altitude of 16,500 feet, is being operated in accordance with this 
policy. It is our intent to continue using the Perseus vehicle as a pathfinder for 
validation of UAV operational procedures during step-by-step expansion of the flight 
envelopes for expanding the flight altitude up to 85,000 feet. DFRC will continue to 
assure safe flight operations and control of UAV flight activities through technical risk 
analysis, management reviews, and the imposition of appropriate range safety precautions 
prior to each flight. 

Findine #29: The DFRF flight safety and mission assurance organization now reports 
directly to the Director of the facility. 

Recommendation $29: None. 

MAS A Response: This change in reporting authority will continue to ensure that flight 
safety and mission assurance issues are addressed in a timely manner and to the 
appropriate level of Center management. 

Finding SUL. The X-31 aircraft exhibited some undesirable stability characteristics at 
higher subsonic speeds and an unexpected departure during a high angle of attack test. 

It also carries an insufficient quantity of hydrazine to run its emergency power unit long 
enough to return to the Edwards runway from the typically used flight test site. 

Rpmmmendntinn MO? Future test objectives for the X-31 should be based on an 
assessment of the specific program objectives that can only be uniquely and safely 
performed by this aircraft. 

MAS A Remnse: The X-31 has no undesirable stability characteristics at higher subsomc 
speeds within its current cleared flight envelope. There is, however, a pitch-up tendency 
between 0.91 and 0.95 Mach number when the aircraft is between 10 degrees and 


16 



12 degrees angle of attack (AoA). This represents flight at elevated gravitational (g) 
loading (2.5g to 4.5g, depending on altitude) outside of the 0.9 Mach number envelope 
limit. The condition is caused by a positive (nose up) break in the airframe pitching 
moment. It was predicted by wind tunnel tests and was a known condition prior to being 
encountered in flight when the aircraft inadvertently exceeded the Mach limit during a 
wind-up turn. 


To mitigate the risks associated with this characteristic, the X-31 now operates with the 
night envelope restricted to 0.85 Mach number, except for planned test maneuvers. As 
an added precaution, the Master Caution/Waming (MCW) tone activates when the 
Mach number exceeds 0.88 and a caution light is illuminated in the cockpit. When 
specific tests, such as the supersonic quasi-tailless demonstration, require exceeding this 
Mach number, the air crew and engineering staff are briefed, an AoA limitation is 
enforced, and responsibilities for real-time monitoring are reviewed. The reduced Mach 
limit and other procedures have not affected achievement of the X-31’s flight test goals. 
No subsequent pitch-up incidents have occurred since these procedures were emplaced. 

The X-31 experienced a yawing departure very early in its poststall envelope expansion 
flight test program. The test, a split-s and pull to 60 degree AoA from 125 knots 
calibrated airspeed (KCAS) at 35,000 feet (about 1.3g’s maximum), was only the third 
elevated g post-stall entry test and represented a modest step toward the goal of 0.7 
Mach number post-stall entries. Both the pilot and the control room quickly recognized 
the departure and called for recovery according to the prebriefed monitoring procedures. 
The pilot was able to immediately pitch down to conventional AoA and recover the 
aircraft to controlled flight. 


The departure was due to an unexpected aerodynamic asymmetry, but such occurrences 
were not unanticipated. The pitch recovery margin designed into the aircraft, the 
planned and gradual buildup of flight maneuvers and conditions, and the monitoring 

procedures ensure the maximum chance for safe recovery from this kind of unexpected 
problem. 

Further, after the departure, poststall flight-envelope expansion was suspended until the 
cause of the departure was identified, understood, and fixed. Wind tunnel tests indicated 
that the large aerodynamic yaw asymmetries that caused the departure were due to the 
very sharp nose of the X-31 aircraft. The asymmetries experienced during flight were 
more than five times as large as wind tunnel predictions, but it was discovered that the 
aircraft was built with a nose that was sharper than the wind tunnel models. The wind 
tunnel tests further suggested that a slight blunting of the aircraft nose to match the wind 
tunnel model would probably eliminate the problem and that small nose strakes would 
further improve the asymmetries and the directional stability of the aircraft at 60 degree 
AoA. 


The aircraft was modified to blunt the nose and add the nose strakes. Maneuver and 
flight condition buildup was changed to increase in smaller steps. Monitoring procedures 
were reviewed (and subsequently adjusted), and the flight test expansion of the 
elevated-g, poststall entry and maneuver envelope resumed. Since then, no departures or 


17 



near-departures have occurred, and the aircraft has been cleared to poststall entries up 
to 265 KCAS or 0,7 Mach number (almost 6g’s maximum) with unrestricted maneuvering 
up to 70 degrees AoA. These flight test operating modifications will enable the project 
to accomplish its tactical utility program objectives. 

During the design, fabrication, and assembly of the X-31, Rockwell, MBB, and the Naval 
Air Systems Command were confronted with a number of difficult tradeoffs in 
attempting to achieve the desired thrust-to-weight ratio in the aircraft. One of the most 
deliberated issues was the purpose and function of the electrical power unit (EPU). As 
a result of these deliberations, the EPU was sized for the purpose of providing 
uninterrupted electrical and hydraulic power for enough time to restart the engine in the 
event of a engine flameout. The EPU was never intended nor, more importantly, 
designed to provide the capability to return to base. 

The philosophy for the utilization of the EPU is consistent with other single engine 
aircraft (i.e., the X-29A and the F-16). The X-31 EPU run time is nominally 
4.5 minutes, while the X-29A had 8.0 minutes and the F-16 has a minimum of 
100 minutes. DFRC’s current operating procedures do not recommend a dead-stick 
landing (neither did the X-29A’s); however, it is a pilot option if the aircraft is close to a 

l anding flight condition. 

The ability to land "engine-out" is determined by both the EPU time and the flame-out 
landing distance of the aircraft. The flame-out landing distance is an ima^nary inverted 
cone of distance versus altitude determined by the glide ratio of the aircraft. This cone 
may be further restricted in altitude and distance by EPU duration. Outside of this 
cone, no amount of EPU time will permit an "engine-out" landing. Much of the flight 
test site areas typically used at Edwards are beyond the flame-out landing range of any 
fighter aircraft. Flights at 10,000 feet, for example, would have to be performed within 
approximately 10 miles of Edwards to remain within this glide cone. 

When the aircraft were moved to Dryden and NASA became an active member of the 
International Test Organization and assumed flight clearance authority, a complete 
independent review of the aircraft systems and issued flight clearance usmg theDiyden 
Basic Operations Manual was conducted. During the course of this review, DFRC 
focused on two major concerns-the potential for the engine to stall dunng high AoA 
testing and the quantity of hydrazine available for the EPU. 

The potential for the engine to stall during high AoA was studied at the outset of ^flight 
test operations, as an undesired event, and was subsequently assigned the probability tor 
occurrence as being unlikely (but possible), and the risk for potential loss of aircraft 
(with safe ejection of the pilot) was accepted. As the result of a more recent review of 
the accepted risks, the probability of occurrence was downgraded to extremely improbable 
based on the completion of high AoA envelope expansion and more than 170 hours ot 
aggressive maneuvering performed during the tactical utility phase of the program witn 
no engine anomalies or stalls experienced. Engine operation will continue to be 
monitored "real time" from start through shutdown, and any additional knowledge 


18 



obtained will modify our risk knowledge data base or, more importantly, it may form the 
basis for changes to mitigate risk. 

To assess the potential impact due to the low quantity of hydrazine available for the 
EPU, Dryden performed a complete-risk analysis of the aircraft, including engine and 
subsystem reliability, proximity of flight operations to landing areas, and other pertinent 
factors. Based on this review, a hydrazine quantity gage was installed to give the pilot 
essential information on whether or not to remain with the aircraft in the event of a 
system failure. The gage quantity is checked as part of the aircraft preflight inspection 
and the hydrazine quantity is monitored "real time". 

Based on our experience with the X-29A, we concluded that the philosophy embodied in 
the original design was reasonable, and the risk was acceptable if we instituted and 
maintained a closely managed quality control and maintenance inspection program. 
Therefore, Dryden management placed hydrazine quantity on the accepted risk list. We 
are managing risks that are entirely acceptable for this experimental aircraft program, 
sponsored by the Advanced Research Projects Agency (ARPA). This has been borne 
out by the successful completion of all program objectives to date. 

Safety of the operation of the aircraft test vehicle and safety of the test points to be 
performed are continually reviewed and improved. The "unexpected departure during a 
high angle of attack test" is an excellent example of how an unexpected problem was 
dealt with and eliminated. 

As a result of the extremely successful completion of the X-31 flight test program 
objectives, an 8-month follow-on program is being planned to explore in-flight virtual 
targeting development, assessment of high AoA/off boresight missiles, pseudo tailless 
aircraft flight tests, using thrust vectoring; and evaluation of high AoA handling qualities 
and design criteria, as evolutionary steps to the completed program. These programs will 
use the existing flight envelope and the same airspace used in the completed program. 
The only planned use of the supersonic corridor, which results in the greatest excursion 
from the Edwards Air Force Base airspace, is during a portion of the Agile Warrior 
virtual-adversary demonstration. 

This high-priority Navy/ARPA-sponsored follow-on program takes advantage of the 
unique capabilities of the X-31 aircraft to begin pursuing these objectives immediately. 
These capabilities include providing support for existing research and laying the 

groundwork for follow-on efforts, such as the Joint Advanced Strike-Fighter Technology 
Program. 


At the completion of the 8-month follow-on program, an assessment and review will 
evaluate the feasibility and risks associated with the reduction of vertical tail size as a 
further extension of the study of thrust vectored flight capability. Results from this 
assessment will be briefed to the Dryden Airworthiness Board as part of the new 
program proposal and appropriate action will be taken. The ASAP Chair will be invited 
to the Air Force Safety Review Board review of this subject. 


19 



The reduced tail size tests will use the X-31’s mature simulation data base, its fully 
integrated thrust vectoring/flight control system, and the experience gained in the quasi- 
tailless tests to investigate tailless flight. This will provide valuable experience and data 
to support design drag, weight, and manufacturing savings to commercial and to military 
aircraft. Military aircraft would also benefit from the reduced-radar signature of these 
new designs. 

The "Agile Warrior" program will integrate key enabling technologies, such as advanced 
pilot situational aids, helmet displays, cockpit displays, and a wide-area distributed 
simulation network, to create a realistic war fighting/training environment linking 
airborne aircraft with multiple ground-based simulators. This promises cost savings m 
both training and in rapid assessment of advanced technologies in a large-scale, realistic 
simulation environment. 

Other tests investigate sensor design, maneuverability, agility, perfonnance, and handling 
qualities during poststall maneuvering and in conventional flight using thrust vectoring. 
The valuable data from these envelope-expanding flight tests will enhance integration of 
these technologies into operational aircraft designs. 

In conclusion, safety of flight for the X-31 International Test Organization has always 
been and will continue to remain our foremost guiding principal. The achievement of 
planned flight test objectives will continue to be guided by a methodical process of flight 
data evaluation and gradual, deliberate expansion of flight envelopes. Risks will be 
understood and prudently accepted with the safety of the pilot and aircraft as the 
principal considerations. 


20 



D. OTHER 


Finding #31; NASA’s past approach to software development has been to incorporate it 
withm the individual programs, allowing them to determine their own requirements and 
Jfc l ° pment ’ verification, and validation procedures. In the future, as the complexity of 
S com P ute y systems and the need for interoperability grow, this mode of operation 
will be increasingly less satisfactory. While NASA has some good software practices it 
oes not have the overall management policies, procedures, or organizational structure 
to deal with these complex software issues. 


Recommendation mi NASA should proceed to develop and implement an Agencywide 
policy and process for software development, verification, validation, and safety as 
quickly as possible. 3 


2^4 A software process action team, sanctioned by the Acting Deputy 

Administrator and the Information Resource Management Council, is working on 
Agncy software issues including roles, responsibilities, standards, and procedures. The 
Office of Safety and Mission Assurance is leading the Agency in strategic planning for 
t e gencywide software program with a NASA working group consisting of members 
trom Centers, industry, and academia. 


A Software Safety Standard has been completed. Our present plan is to establish this as 
an interim standard for 1 year at which time it will become a mandatory requirement for 
newly developed software. The Software Independent Verification and Validation 
Facility will focus on the Agency software processes for development, verification, and 
validation m accordance with the Software Strategic plan currently being developed. 


— N ASA has consolidated life and microgravity sciences and applications 
including human factors in the Office of Life and Microgravity Sciences and Applications 
' . e Space Human Factors & Engineering Program Plan is being prepared to 

gwde future research activities. There remains, however, a clear need for more 
operational human factors input in both the Space Shuttle and Space Station programs. 

Recommendation tf$2, The Program Plan should be expanded to include support of the 
operatmg space flight programs to ensure that sufficient human factors expertise is 


N<A$A Response; The Life and Biomedical Sciences and Applications Division is 
committed to developing a new, dynamic Space Human Factors Engineering Program 
that will integrate human factors knowledge and methodologies into the Shuttle and 
Space Station programs. Leadership of this program resides within the Environmental 
Systems and Technology Branch of Code U, which is responsible for directing an 
integrated Space Human Factors Engineering research and development program. New 
processes and procedures will be developed to enhance crew training, augment the 
design of complex automated systems, and use extreme and isolated environments to 
conduct analog studies. Research programs will continue; however, the primary focus of 


21 



the program will shift from knowledge acquisition to knowledge application . This shift will 
extend human factors support to operational areas and emphasize the improvement of 

processes and products. 

The Space Human Factors Engineering Program Plan, developed in 1993, is being 
revised to reflect this shift of emphasis, and an implementation plan will be developed to 
establish and maintain this new focus. Emphasis will be placed on identi^ng specific, 
adequate funding for meaningful results, and promoting the added value of human 
factors through concurrent engineering throughout the Agency. A Space Human Factors 
Engineering Customer Team, currently being established at Headquarters with 
representatives from Codes U, M, R, and Q, is being received in a spirit of cooperation 
and collaboration. These changes should create a safer and more productive operational 
environment for all flight and ground activities planned for current and future programs. 


f ading. There are excellent examples of Total Quality Management (TQM) 
principles and practices in various contractor and NASA activities. 

Reepmmendgtjon mi NASA and contractor management should use the existing 
effective TQM implementations as models for their continuing TQM efforts. 


NASA Resvonse: The Office of Continual Improvement is aggressively pursuing ^ 
implemenmtion of TQM across NASA. Particular emphasis has been focusedon the 
Agency Quality Steering Team (QST) and Continual Improvement Council (CIC) 
aOivitL The Agency Continual Improvement Plan is in the final stagesof .development 
^ expected ,o be signed in late summer 1994 by the Chair of the QST (the Acnng 
Deputy Administrator). In addition, the Office of Continual Improvement has worked 
with the Office of Human Resources and Education m developing and establishing 
training courses for enhancing individual expertise in applying TQM concept. Aj i ^n 
example, a 2-day Joiner Team Training session focusing on a common team framework 
for continual improvement teams was presented in May 1994 to the Headquarters CIC 

and others. 


Although the Panel’s report cites specific positive applications of TQM in providing an 
assessment of the NASA results, we recognize that continual improvement across the 
Agency and its contractors is necessary. We will continue to encourage an practice 
continual improvement in all areas to affect the necessary changes. 


22 



APPENDIX C 

NASA AEROSPACE SAFETY ADVISORY PANEL ACTIVITIES 
JANUARY 1994 - JANUARY 1995 

JANUARY 

1 9 Total Quality Management Letter Report to Administrator 

FEBRUARY 

3 Congressional Staff Visit re Panel’s Annual Report, 

Washington, DC 

1 5 Panel Review of NASA’s Strategic Plan 

23-25 Review of Multi-Function Electronic Display System/Pilot Assisted 

Landing Program; Aircraft Guidance and Navigation Activity; General 
Aviation/Commuter Technology; and Human Factors, Ames Research 
Center 


MARCH 

16 

22 

23 

23 

24 

APRIL 

5-7 

15 

MAY 

10 


17-19 

31 


Aerospace Safety Advisory Panel Presentation to the Senior Management 
Council, NASA Headquarters 

Review of Space Station/Russian Programs, NASA Headquarters 

Review of Total Quality Management, NASA Headquarters 

Aerospace Safety Advisory Panel Annual Meeting, NASA Headquarters 

Review of NASA Safety Programs with Office of Management and 
Budget, Washington, DC 

STS-59 Mission Activities, Kennedy Space Center 

Review of Improved Auxiliary Power Unit, Sundstrand, Rockford, IL 

Solid Rocket Motor Review, Thiokol, UT 

Filament Wound Case Review, Hercules, Salt Lake City, UT 

Reviews of Multi-Function Electronic Display System and Space Station, 
Johnson Space Center 

Intercenter Aircraft Operations Panel Meeting, El Paso, TX 


C-l 



JUNE 


28 

29 

JULY 

1 

15 

21 

AUGUST 

2 
8 

9-10 

15-18 

17 

3! 

SEPTEMBER 

12-13 

19 

27 


Review of Space Shuttle Main Engine Testing, Stennis Space Center 
Review of External Tank Programs, Michoud Assembly Facility 


Review of Office of Safety and Mission Assurance role in safety 
certification; Review of Space Shuttle/Mir Safety; Space Shuttle 
reliability discussions with Japanese News Agency, NASA Headquarters 

Perseus A Flight Readiness Review, Dryden Flight Research Center 

Software Process Action Team Meeting, NASA Headquarters 


Perseus B Flight Readiness Review, Dryden Flight Research Center 

Discussions with Administrator re Russian safety program; Assured Crew 
Return Vehicle policy; ASAP position on Improved Auxiliary Power Unit; 
aging aircraft; Solid Rocket Motor nozzle manufacturing; Human Factors 
Research. NASA Headquarters 

Review of wind shear/wake vortex program; flight deck research/ 
simulators; aging aircraft; tire wear and crash safety; High-Speed 
Research Program; Zero Visibility Landing, Langley Research Center 

Review of structured surveillance progress; receipt and handling of 
Russian hardware; quality control for European supplied hardware; Space 
Station Processing Facility, Kennedy Space Center 

Software Process Action Team Meeting, NASA Headquarters 

Review of Improved Auxiliary Power Unit, Sundstrand, Rockford, IL 


Review of Fire Safety Research; Aircraft Operations; US/Russian Solar 
Dynamic Power System; Launch Vehicles; Aeronautics; and Chemical 
Rockets. Lewis Research Center 

Letter Report to the Administrator, New Gas Generator Valve Module and 
Auxiliary Power Unit 

Letter Report to the Administrator, Measures of Safety 


C-2 



OCTOBER 


4-5 

18 

19 

20 

NOVEMBER 

8- 9 

9- 10 

16-17 

23 

30 

DECEMBER 

5 

WV 

14-17 

JANUARY 

9 

18 


Integrated Logistics Panel Meeting, New Orleans, LA 

Safety Program Review, Dryden Flight Research Center 

Space Shuttle Main Engine and Manufacturing Processes and Supplier 
Management Reviews, Rocketdyne, Canoga Park, CA 

Review of Orbiter return to launch site; tiles; Global Positioning System; 
Multi-Function Electronic Display System; and Space Shuttle/Russian 
Program, Rockwell, Downey, CA 


Integrated Logistics Panel Meeting, Kennedy Space Center 

Review of the Space Station Program; Russian Safety Process; Assured 
Crew Return Vehicle; and Shuttle/Mir, Johnson Space Center 

Review of TU- 144 Program and Shuttle/Mir, NASA Pleadquarters 

Review of Microwave Scanning Beam Landing System. 

Rockwell, Downey, CA 

Review of the Shuttle/Mir Docking Mechanism, NASA Headquarters 

Review of NASA Independent Verification and Validation Lab, Fairmont, 
Panel Plenary Session, NASA Headquarters 

Review of safety functions, Kennedy Space Center 
STS-63 Flight Readiness Review, Kennedy Space Center 


C-3 




